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Introduction 

Privacy rights have been a hotly debated issue for the past few 
decades, increasingly so with the ever-growing presence of the 
Internet in the daily lives of Americans. The reach of the Internet 
has expanded so significantly that according to a recent poll 
conducted by BBC World Service, nearly four out of five people 
across the world believe that access to the Internet is a fundamental 
right.' This survey of more than 27,000 adults across twenty-six 
countries suggests that the Internet should be regarded as basic 
infrastructure and that this right to communicate should not be 
ignored. While some countries, including Finland and Estonia, 
have ruled that Internet access is a human right for their citizens, 
questions remain about the appropriate level of government 
oversight of certain aspects of the Internet. Though nearly 
seventy-nine percent of the survey respondents either strongly 
agreed or somewhat agreed with the characterization of access to 


Internet Access Is ‘A Fundamental Right,’ BBC News, Mar. 8, 2010, 
http://news.bbc.co.Uk/2/hi/8548190.stm. 

Id. 

Id. 
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the Internet as a fundamental right and believed in its positive 
impaet in bringing them greater freedom, many also expressed 
eoneerns: in rank order, these ineluded fear of fraud, easy aeeess to 
explieit and violent eontent, and privaey worries."^ 

The faet that privacy appears third on this list of concerns is 
itself disturbing. Think about how much time you, the reader, 
spend on the Internet each day. You can read your e-mail 
messages, make a purchase online, read a blog,^ or conduct 
searches using Google, Bing, Yahoo!, or another of the myriad 
of Internet search engines available. Both the sheer number of 
users, each conducting individual activities on the Internet, and the 
amount of personal information shared in each of those activities 
(e.g., typing in an e-mail password, or entering a credit card 
number when making an online purchase) is staggering. If this 
highly sensitive information, or even something more innocuous 
such as a user’s search terms,^ were to enter the wrong hands, the 
consequences could be dire. 

In response, the United States government, beginning in 1998, 
created initiatives aimed at the protection of cyber systems. These 
initiatives designated cyber systems as a part of the nation’s critical 
infrastructure.Subsequent government initiatives were designed 
to reinforce the important role of cyberspace in America, while 
striving to maintain a balance between government oversight and 


^ See Michael Conniff, Just What Is a Blog, Anyway?, Online Journalism Rev. 
(Sept. 29, 2005), http://www.ojr.org/ojr/stories/050929. 

® Google Corporate Information, Company Overview, Google, http://www.google. 
com/corporate (last visited May 2, 2010). 

’ Discover Bing, BiNG, http://www.discoverbing.com^ehindbing/about.aspx (last 
visited May 2, 2010). 

* Corporate Information, Yahoo!, http://info.yahoo.com/center/us/yahoo/ (last visited 
Aug. 10, 2010). 

^ See, e.g.. About Google Trends, Google Trends, http://www.google.com/intl/en/ 
trends/about.html (last visited Sept. 13, 2010). Google Trends allows a user to see data 
about how often a given topic has been entered into the Google search engine over time, 
on a particular day, or in a specific geographic region. Id. 

White House, Critical Infrastructure Protection PDD-63 1-2 (May 22,1998) 
[hereinafter PDD-63], available at http://www.fas.org/irp/offdocs/pdd/pdd-63.pdf; see 
also infra Part LA. 
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individual privacy rights/^ Several prominent privacy rights 

organizations have heavily eriticized the government’s 

12 

involvement in Internet regulation and seeurity. 

The efforts of private eorporations to proteet personal data 
online have also been subjected to eritieism. For example, the 
satirieal newspaper The Onion reeently published an article in 
response to some of the privaey eoneerns assoeiated with the 
Internet giant, Google. While the artiele speeifieally attaeked a 
new Google serviee that had reeently launehed,^"^ it also generally 
deseribed a worst-ease scenario involving the private data of 
Google users. It reported a fictitious apology issued by Google 
CEO, Eric Schmidt. In the artiele, Schmidt apologized to Google 
users, “partieularly the 1,237,948 who take daily medieation to 
eombat anxiety—for eausing unneeessary distress, and . . . 
expressed regret—partieularly to Patrieia Eort, a single mother 
taking care of Jordan, Sam, and Rebecea, ages 3, 7, and 9—for not 
doing more to ensure that private information remains private.”’^ 


See, e.g., PDD-63, supra note 10. 

See. e.g., Ctr. for Democracy & Tech., http://www.cdt.org/issue/cybersecurity 
(last visited Sept. 13, 2010); Cybersecurity Privacy Practical Implications, Elec. 
Privacy Info. Ctr., http://epic.org/privacy /cybersecurity/default.html (last visited Sept. 
13, 2010); Online Privacy c& Technology, Privacy Rights Clearinghouse, 
http://www.privacyrights.org/Online-Privacy-and-Technology (last visited Sept. 13 
2010); Technology and Liberty, Am. Civil Liberties Union, http://www. 
aclu.org/technology-and-liberty (last visited Sept. 13 2010); cf. U.S. Dep’t of Homeland 
Sec., DHS Privacy Office Annual Report to Congress 44^5 (Sept. 2009), available 
at http://www.dhs.gov/xlibrary/assets/privacy/privacy_rpt_annual_ 2009.pdf. Despite the 
vocal criticisms of government regulation of the Internet, only two pages of the most 
recent DHS privacy report to Congress are dedicated to cybersecurity. See id. 

See Google Responds to Privacy Concerns with Unsettlingly Specific Apology, The 
Onion (Mar. 2, 2010), http://www.theonion.com/content/news/google_responds_to_ 
privacy [hereinafter Google Responds to Privacy Concerns]. 

Id. On February 9, 2010, Google launched a product called Buzz, which created a 
social networking platform within Gmail, Google’s webmail service, through which users 
were set up to automatically “share” interesting items (photos, videos, links to Web sites, 
etc.) with the user’s most frequent Gmail contacts. Several days later, Google made a 
number of improvements in response to a flurry of user criticisms concerning the privacy 
of their individual data as visible through Buzz. See Todd Jackson, A New Buzz Start-Up 
Experience Based on Your Feedback, Official Gmail Blog (Feb. 13, 2010, 3:53 PM), 
http://gmailblog.blogspot.eom/2010/02/new-buzz-start-up-experience-based-on.html; 
Todd Jackson, Introducing Google Buzz, OFFICIAL Google Blog (Feb. 9, 2010, 11:06 
AM), http://googleblog.blogspot.com/2010/02/introducing-google-buzz.html. 

Google Responds to Privacy Concerns, supra note 13. 
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The point of the artiele was to illustrate exaetly how mueh personal 
information is available over the Internet, and espeeially to show 
the astounding amount of data shared within Google’s individual 
serviees (e.g., seareh and e-mail). While the pieee is elearly an 
exaggeration, it satirizes lingering Internet privaey eoneerns. Sueh 
eoneerns represent a signifieant part of the diseussion regarding the 
reeent allianee formed between Google and the National Seeurity 
Ageney. This allianee was formed in response to eyberattaeks^^ 
whieh originated in China and targeted Google’s eorporate 
infrastrueture.'^ As a eonsequenee of these eyberattaeks, some of 
Google’s intelleetual property was stolen, prompting it to enlist the 
assistanee of the National Seeurity Ageney to improve the seeurity 
of its digital infrastrueture.'^ 

This Note seeks to explore the allianee between Google and the 
National Seeurity Ageney and how it fits within the framework 
established by the government to proteet the eritieal teehnology 
and eyberseeurity infrastrueture of the United States. It will 
address whether the allianee is eonsistent with or represents a 
departure from existing government polieies, in terms of its 
effeetiveness and the eonsequenees for privaey proteetion. This 
Note argues that the allianee, while retaining eertain elements of 
eurrent government eyberseeurity initiatives, points to elear 
deficieneies in these policies and answers several recent calls for 
change in eyberseeurity programs. This Note concludes that while 
the Google-NSA alliance is a significant step toward improved 
eyberseeurity, more work needs to be done in order to adequately 
protect cyberspace. 

Part I will investigate the history of the United States 
cyberspace policy from the Clinton administration to the present 
administration. It will also explore both Google and the NS A as 
individual entities and outline the available details about the 
alliance. Part II will examine both sides of the debate regarding 


See What Is a Cyberattack?, wiseGEEK, http://www.wisegeek.com/what-is-a- 
cyberattack.htm (last visited May 2, 2010) (“A cyberattack is an attempt to undermine or 
compromise the function of a computer-based system, or attempt to track the online 
movements of individuals without their permission.”). 

See infra Part I.B.l. 

See id. 


18 
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whether the Google-NSA allianee is a produet of existing 
cybsercurity poliey or whether it highlights deficiencies in the 
existing regime. Finally, Part III of this Note will argue that the 
Google-NSA alliance retains the fundamental principles of present 
cyber policy initiatives, but the alliance’s innovations point to 
deficiencies in existing U.S. cybersecurity policy which indicate 
that the current framework needs improvement. This Part will also 
discuss the cybersecurity deficiencies that exist within critical 
infrastructures of the defense sector, and conclude that problems 
across two critical infrastructure sectors suggest that government 
cybersecurity policies to date have been largely deficient and thus 
require improvement. 


I. Background: Cybersecurity Policy, Google, and the 

NSA 

President Barack Obama has identified cybersecurity as one of 
the most significant national security challenges faced by the 
United States today, and recently stated that the nation is not 
sufficiently prepared to respond to cyber threats. Nevertheless, 
there are initiatives currently in place for reviewing and improving 
our nation’s cybersecurity, all of which address the goal of 
protecting and securing the United States in cyberspace. In order 
to comprehend some of the current strategies to achieve this 


Nat’l Sec. Council, The Comprehensive National Security Initiative 1 (Mar. 
2, 2010), available a/http://www.whitehouse.gov/sites/default/files/cybersecurity. pdf 

See, e.g., U.S. Dep’t of Homeland Sec., National Infrastructure Protection 
Plan (2006) [hereinafter 2006 NIPP], available at http://www.fas.org/irp/agency/ 
dhs/nipp.pdf; White House, Cyberspace Policy Review (2009) [hereinafter 
Cyberspace Policy Review], available at http://www.whitehouse.gov/assets/ 
documents/Cyberspace_PoIicy_Review_final.pdf; White House, The National 
Strategy to Secure Cyberspace (2003) [hereinafter National Strategy to Secure 
Cyberspace], available at http://www.dhs.gov/xlibrary/assets/National_Cyberspace_ 
Strategy.pdf; Homeland Security Presidential Directive 7: Critical Infrastructure 
Identification, Prioritization, and Protection, 39 WEEKLY Comp. Pres. Doc. 1816 (Dec. 
17, 2003) [hereinafter HSPD-7], available at http://www.dhs.gov/xabout/laws/gc_ 
1214597989952.shtm#l; Press Release, White House, Remarks by the President on 
Securing Our Nation’s Cyber Infrastructure (May 29, 2010) [hereinafter Remarks by the 
President], available at http://www.whitehouse.gov/the-press-office/remarks-president- 
securing-our-nations-cyber-infrastructure. 

The Comprehensive National Security Initiative, supra note 19. 
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objective, one must have a broad understanding of past and present 
cyberspace policy, as well as background knowledge of the two 
organizations comprising the Google-NSA alliance. 

A. History of United States Cybersecurity Policy 

Citing the nation’s increasing reliance on cyber-based 
information systems, the United States government began focusing 
on the cyber aspects of critical infrastructure in 1998. Since then, 
the nation’s reliance on the Internet has increased exponentially 
and cybersecurity initiatives have reflected this augmented usage, 
focusing on several particular areas: partnerships between the 
public sector and private industry, information sharing in 
cyberspace, and concern for the privacy rights and civil liberties of 
the individual. 

1. 1998-2002 

On May 22, 1998, President Clinton issued Presidential 
Decision Directive/PDD-63 (“PDD-63”), which took a broad view 
of critical infrastructure protection. The directive defined critical 
infrastructures as “those physical and cyber-based systems 
essential to the minimum operations of the economy and the 
government.This definition encompassed a variety of sectors, 
including, but not limited to, “telecommunications, energy, 
banking and finance, transportation, water systems and emergency 
services, both governmental and private.” Historically, many of 
these infrastructure systems had been separate and independent 
from each other, both physically and logically; however, 
government documents often refer to critical infrastructure 
collectively as Critical Infrastructure and Key Resources 
(“CIKR”).^’ 


PDD-63, supra note 10, at 1. 
See generally id. 

2'* Id. all. 


See, e.g., 2006 NIPP, supra note 20; see also U.S. Dep’t of Def., Defense 
Industrial Base: Critical Infrastructure and Key Resources Sector-Specific 
Plan as Input to the National Infrastructure Protection Plan (2007) [hereinafter 
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Technological advances and increased efficiencies have created 
a level of interdependence and connectivity between the nation’s 
various critical infrastructures. However, they have created new 
vulnerabilities as well. PDD-63 expressed President Clinton’s 
intent to eliminate significant weaknesses to both physical and 
electronic attacks on critical infrastructures, “including especially 
our cyber systems.” The directive called for a “closely 
coordinated effort of both the government and the private sector . . 

. [that] must be genuine, mutual and cooperative” in order to be 
successful. This initiative marked the advent of public-private 
partnerships to secure individual sectors of the nation’s critical 
infrastructure by appointing senior officials from designated “Lead 

30 

Agencies” to work with the private industry in each sector. 

PDD-63 designated the Department of Defense (“DoD”) as the 
Lead Agency for national defense. Later, the Homeland Security 
Act of 2002 established the Department of Homeland Security 

32 

(“DHS”) as an executive department of the United States. 
Within DHS, a Directorate for Information Analysis and 
Infrastructure Protection was created to receive, access, and 
analyze information received from government agencies as well as 
the private sector at the national, local, and state levels. The 
Directorate was to “(A) identify and assess the nature and scope of 
terrorist threats to the homeland; (B) detect and identify threats of 
terrorism against the United States; and (C) understand such 
threats in light of actual and potential vulnerabilities of the 
homeland.”^"^ The Under Secretary for Information Analysis and 
Infrastructure Protection, leading the Directorate, was also tasked 


DIB SSP], available at http://www.dhs.gov/xlibrary/assets/nipp-ssp-defense-industrial- 
base.pdf 

PDD-63, supra note 10. 

Id. 

Id. (“For each infrastructure sector that could be a target for significant cyber or 
physical attack, there will be a single U.S. Government department which will serve as 
the lead agency for liaison.”). 

See id. 

6U.S.C. § lll(a)(2006). 

” Id. § 121(a). 

Id. § 121(d)(1). 
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with several funetions involving the synthesis and protection of the 
information received, including: 

• To carry out comprehensive assessments of 
the vulnerabilities of the key resources and 
critical infrastructure of the United States . . 

• To develop a comprehensive national plan 
for securing the key resources and critical 
infrastructure of the United States .... 

• To recommend measures necessary to 
protect the key resources and critical 
infrastructure of the United States .... 

• To consult with State and local governments 
and private sector entities to ensure 
appropriate exchanges of information, 
including law enforcement-related 
information, relating to threats of terrorism 
against the United States .... 

• To ensure that . . . any material received 
pursuant to this Act is protected from 
unauthorized disclosure and handled and 
used only for the performance of official 
duties . . . .^^ 

Thus, the Homeland Security Act of 2002 emphasized the 
protection of the information collected pursuant to DHS’s 
information analysis and infrastructure protection efforts. In 
addition, the creation of DHS as an executive department resulted 
in significant implications for cybersecurity, discussed below. 

Collaboration between the public and private sectors was again 
highlighted with the creation of the Protected Critical 
Infrastructure Information Program (“PCII”). This information- 
protection program was established to enhance information sharing 
between the government and the private sector. Today it is still 
used to “[ajnalyze and secure critical infrastructure and protected 


Id. § 121(d). 

See Protected Critical Infrastructure (PCII) Program, U.S. Dep’t of Homeland 
Sec., http://www.dhs.gOv/files/programs/editorial_0404.shtm (last visited Oct. 14, 2010). 
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systems, [ijdentify vulnerabilities and develop risk assessments, 
and [ejnhanee reeovery preparedness measures.” 

When information is submitted, from the private sector to the 
government sector under PCII, it is subjected to the requirements 
of the Critical Infrastructure Information Act of 2002 (“CII”).^* 
The specific protections of voluntarily shared critical infrastructure 

•5Q 

information under the CII are delineated in 6 U.S.C. § 133. 
Under PCII, if the requirements of the Act are met, the information 
submitted to the government is protected from the Freedom of 
Information Act,"^° state and local disclosure laws, and use in civil 
litigation. The information is also destroyed or returned to the 
submitter if the enumerated conditions are not met."^' Thus, even 
the earliest government cybersecurity initiatives included 
significant measures to protect information privacy. 

2. 2003-2008 

In February 2003, the Bush White House issued the National 
Strategy to Secure Cyberspace, which identified cyberspace as the 
“nervous system” of the country and highlighted the role of 
public-private engagement in securing it."^^ The Strategy identifies 
five national priorities with regard to security in cyberspace: “(1) a 
national cyberspace security response system; (2) a national 
cyberspace security threat and vulnerability reduction program; (3) 
a national cyberspace security awareness and training program; (4) 
securing governments’ cyberspace; and (5) and national security 
and international cyberspace security cooperation.”"^"^ The second, 
third, and fourth priorities are targeted toward reducing threats 
from, and vulnerabilities to cyber attacks Under the umbrella of 
the first listed priority, a national cyberspace security response 
system, the collaboration between public and private entities is 


Critical Infrastructure Information Act of 2002, 6 U.S.C. §§ 131-34. 

Id. § 133. 

Freedom of Information Act, 5 U.S.C. § 552. 

See Protected Critical Infrastructure (PCII) Program, supra note 36. 

See National Strategy to Secure Cyberspace, supra note 20, at iv, 1. 
Id. at 2. 

See id. at 3^. 

Id. 


45 
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again paramount. Among the eight major initiatives in this listed 
priority, four speeifioally referenee the publie-private partnership."^^ 

On Deeember 17, 2003, President Bush issued Homeland 
Seeurity Presidential Direetive 7: Critieal Infrastrueture 
Identifieation, Prioritization, and Proteetion (“HSPD-7”)."^^ The 
purpose of HSPD-7 was to establish “a national poliey for Federal 
departments and ageneies to identify and prioritize United States 
eritieal infrastrueture and key resourees and to proteet them from 
terrorist attaeks.” This direetive superseded President Clinton’s 
Presidential Direetive, PDD-63."^^ HSPD-7 eneompassed many 
initiatives from prior polieies, ineluding adequate proteetion of 
“voluntarily provided information, . . . that would faeilitate 
terrorist targeting of eritieal infrastrueture and key resourees 
eonsistent with the Homeland Seeurity Aet of 2002 and other 
applieable legal authorities.In addition, DHS and the Seetor- 
Speeific Ageneies^^ were direeted to eollaborate with appropriate 
private seetor entities and to eneourage information sharing, as 
well as to “support seetor-eoordinating meehanisms: (1) to 
identify, prioritize, and eoordinate the proteetion of eritieal 
infrastrueture and key resourees; and (2) to faeilitate sharing of 
information about physieal and eyber threats, vulnerabilities, 
ineidents, potential proteetive measures, and best praetiees.” 
This direetive again attempted to strike a balanee between the need 
for seeurity in eyberspaee and the privaey interests of the 
individual. 


See id. The four initiatives are as follows: establishing a public-private architecture 
for responding to national-level cyber incidents, developing a private sector capability to 
share a comprehensive view of the potency of cyberspace, coordinating processes for 
voluntary participation in the development of national continuity and contingency plans, 
and improving and enhancing public-private information sharing involving cyber threats, 
vulnerabilities, and attacks. See id. 

HSPD-7, supra note 20. 

Id.\\. 

Id. H 37; see also infra Part I.A.l. 

Id. H 10. 

Id. H 6(g) (“The term Sector-Specific Agency means a Federal department or agency 
responsible for infrastructure protection activities in a designated critical infrastructure 
sector or key resources category.”). 

Id. H 25. 
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Most significantly, HSPD-7 directed the DHS Seeretary to 
“produee a eomprehensive, integrated National Plan for Critieal 
Infrastrueture and Key Resourees Proteetion to outline national 
goals, objeetives, milestones, and key initiatives.” Four speeifie 
elements were designated for inelusion in the Plan: 

a. a strategy to identify, prioritize, and eoordinate 
the proteetion of eritieal infrastrueture and key 
resourees, ineluding how the Department intends 
to work with Federal departments and ageneies. 

State and loeal governments, the private seetor, 
and foreign eountries and international 
organizations; 

b. a summary of aetivities to be undertaken in order 
to: define and prioritize, reduee the vulnerability 
of, and eoordinate the proteetion of eritieal 
infrastrueture and key resourees; 

e. a summary of initiatives for sharing eritieal 
infrastrueture and key resourees information and 
for providing eritieal infrastrueture and key 
resourees threat warning data to State and loeal 
governments and the private seetors; and 

d. eoordination and integration, as appropriate, with 
other Federal emergeney management and 
preparedness aetivities ineluding the National 
Response Plan and applieable national 
preparedness goals. 

These eomponent parts, as well as “other Homeland Seeurity- 
related elements as the Seeretary deems appropriate,”^^ underlie 
the formulation of the National Infrastrueture Proteetion Plan 
(“NIPP”),^^ released in 2006 and last updated in 2009.^^ 


” Id. H 27. 

Id. 

Id. 

See 2006 NIPP, supra note 20. 

Prior to the release of the completed NIPP in June 2006, many of the initiatives 
described in the Plan were delineated in additional government documents. See, e.g., U.S. 
Dep’t of Homeland Sec., The National Strategy for the Physical Protection of 
Critical Infrastructures and Key Assets (2003), available at http://www. 
dhs.gov/xlibrary/assets/Physical_Strategy.pdf; see also U.S. Dep’t of Homeland Sec., 
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The overarching goal of the NIPP as written in 2006 is, simply 
stated, to protect the nation’s critical infrastructure. It “provides 
the unifying structure for the integration of existing and future 
CIKR protection efforts . . . across sectors” to achieve these 
security goals on a national level.Specifically, the NIPP has the 
objective of “deter[ring] the threat or minimiz[ing] consequences” 
associated with attacks on the nation’s Critical Infrastructure and 
Key Resources.It also outlines the roles for security partners in 
the private and public sectors, including regional partners, the 
academic community, and government at the state and local 
level.In accordance with HSPD-7, the NIPP delineates “Sector- 
Specific Agencies” (replacing the term “Lead Agencies” from 
prior policy initiatives, but with substantially the same function) to 
lead efforts in each CIKR sector. DHS, specifically the Office of 
Cyber Security and Telecommunications, was designated as the 
Lead Agency for the Information Technology and 
Telecommunications (now known as the Communications) CIKR 
sector.^^ 

A risk management framework is the cornerstone of the NIPP 
approach to CIKR protection, and the plan also recommends 
implementation using “organizational structures and partnerships 
committed to sharing and protecting the information needed to 
achieve the NIPP’s goal.” The “balance between an appropriate 
level of security and protection of civil rights and liberties” is 
again highlighted as a goal.^"^ Finally, three larger-scale elements 
are discussed in the NIPP; the role of CIKR protection in the 
overall homeland security mission, strategies for ensuring the 


Interim National Infrastructure Protection Plan (2005), available at 
http://cip.gmu.edu/archive/Interim_NIPP_Feb_05.pdf. 

2006 NIPP, supra note 20, at 1. 


See id. at 2. 

See id. at 2-3 (Sector-Specific Agencies “implement the NIPP framework and 
guidance as tailored to the specific characteristics and risk landscapes of each of the 
CI[]KR sectors designated in HSPD-7.”); see also Office of Cybersecurity and 
Communications, U.S. Dep’t OF HOMELAND SEC., http://www.dhs.gov/xabout/structure/ 
gc_l 185202475883.shtm (last visited May 2, 2010). 

2006 NIPP, supra note 20, at 4. 

Id. at 5. 


64 
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program’s effectiveness and efficiency in the long term, and the 
provision of resources for the CIKR protection program. 

In addition, organizations outside of the government sphere 
aimed to protect cybersecurity. In December 2008, the Center for 
Strategic and International Studies (“CSIS”) released a report 
entitled “Securing Cyberspace for the 44th Presidency.” CSIS is a 
bipartisan nonprofit organization that conducts research and 
analysis, develops policy initiatives, and provides “strategic 
insights and policy solutions to decision makers.The report 
outlined three major findings: cybersecurity is a serious national 
security problem for the United States; decisions and actions taken 
with regard to cybersecurity must respect both civil liberties and 
privacy; and the country will be more secure with a comprehensive 
national security strategy in place that encompasses both the 

67 

national and international facets of cybersecurity. 

Among the recommendations discussed in the report are 
several that fall directly in line with the previous directives and 
policy proposals. First, the CSIS recommended the creation of a 
national security strategy for cyberspace. It used the acronym 

DIME—Diplomatic, Intelligence, Military, and Economic—to 

68 

represent the elements needed for a comprehensive solution. 
CSIS also proposed that the White House be placed at the forefront 
of cybersecurity leadership and create “a new office for cyberspace 
in the Executive Office of the President.”^^ The role of public- 
private partnerships was also highlighted; specifically, CSIS 
suggested that the government “recast” its relationship with the 
private sector and “redesign” the public-private partnership to 
include “more clearly defined responsibilities, an emphasis on 
building trust among the partners, and a focus on operational 
activities” to increase progress.CSIS illustrates that non- 


See id. at 5-6. 

About Us, Ctr. for Strategic & Int’l Studies, http://csis.org/about-us (last visited 
Apr. 10, 2010). 

Center for Strategic & Int’l Studies, Securing Cyberspace for the 44th 
Presidency 1 (Dec. 2008), http://csis.org/files/media/csis/pubs/081208_securing 
cyberspace_44.pdf 
Id. 

Id. at 2. 

Id. 
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governmental organizations have come to some of the same 
conclusions reached by the government regarding cyberspace 
security strategy, and it shares the viewpoint that “greater security 
must reinforce citizens’ rights, not come at their expense. 

3. 2009-present 

In late 2008, DHS published a notice in the Federal Register 
describing proposed updates to the National Infrastructure 
Protection Plan and soliciting public comment “on issues or 
language in this draft document.” While the basic framework of 
the document remained intact, several important changes were 
introduced, including publication of the sector-specific plans 
(“SSPs”), updates in information sharing mechanisms, and 
improvements in other programs led by DHS. Somewhat 
surprisingly, the 2009 NIPP did not contain an abundance of 
additional information or make significant changes regarding the 
protection of cyberspace.’'^ 

On April 17, 2009, the White House Office of the Press 
Secretary released a statement announcing the conclusion of the 
sixty-day Cyberspace Review that began on February 9, 2009.’^ 
The purpose of the review was “to develop a strategic framework 
to ensure that our initiatives in [cyberspace] are integrated, 
resourced and coordinated appropriately, both within the Executive 
Branch and with Congress and the private sector.”’^ The 
conclusion of the review period provided the President with 


Id. at 15. 

See Review and Revision of the National Infrastructure Protection Plan, 73 Fed. 
Reg. 67,532 (Nov. 14, 2008), available at http://edocket.access.gpo.gov/2008/E8- 
27106.htm. 

” Id. 

Compare 2006 NIPP, supra note 20, with U.S. Dep’T OF HOMELAND SEC., National 
Infrastructure Protection Plan (2009), available at http://www.dhs.gov/ 
xlibrary/assets/NIPPPlan.pdf. 

Press Release, White House, Statement by the Press Secretary on Conclusion of the 
Cyberspace Review (Apr. 17, 2009), available at http://www.whitehouse.gov/ 
the_press_office/Statement-by-the-Press-Secretary-on-Conclusion-of-the-Cyberspace- 
Review. The Cyberspace Review analyzed “the plans, programs, and activities underway 
throughout the government that address [the U.S.’s] communication and information 
infrastructure (i.e. cyberspace).” Id. 
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conclusions and recommendations for “an optimal White House 
organizational structure to address cyberspaee-related issues and . . 

. an aetion plan on identifying and prioritizing further work in this 
area.”^^ 

Just over a month later, on May 29, President Obama addressed 
the nation on the topie of the seeurity of the United States’ eyber 

•70 

infrastrueture. President Obama reiterated that no single agency 
has the authority and responsibility to undertake the ehallenge of 
seeuring the eountry’s eyber networks, and “[n]o single offieial 

70 

oversees eyberseeurity policy across the federal government.” 
The President aeknowledged the shortcomings of communication 
with the private sector and between federal ageneies, and 
announeed that his administration would eonsider digital 
infrastructure as a “strategie national asset” whose proteetion is a 
national seeurity priority. 

President Obama also announeed the ereation of a new 
Cyberseeurity Offiee within the White House led by the 
Cyberseeurity Coordinator and tasked with the following 
responsibilities: “orehestrating and integrating all eyberseeurity 
polieies for the government; working closely with the Office of 
Management and Budget to ensure ageney budgets refleet those 
priorities; and, in the event of major eyber incident or attaek, 
eoordinating our response.” Publie-private partnerships were 
highlighted onee again, as a majority of eritieal infrastrueture is 
owned by the private sector. However, President Obama 
emphasized that rather than dietate seeurity standards for private 

eompanies, government and industry should work together to find 

82 

seeure technology solutions that promote economie prosperity. 
Finally, the President reiterated one of the primary eoneerns 


Id. 


See Remarks by the President, supra note 20. 

Id. 

Id. 

Id.-, see also Cyberseeurity, White House, http://www.whitehouse.gov/ 
cyberseeurity (last visited Oct. 24, 2010) (“To implement the results of [the Cyberspace 
Policy Review], the President has appointed Howard Schmidt to serve at the U.S. 
Cyberseeurity Coordinator and created the Cyberseeurity Office within the National 
Security Staff. . . .”). 

Remarks by the President, supra note 20. 
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associated with cybersecurity: that civil liberties and privacy 
remain paramount, and accordingly, that the national cybersecurity 
plan not subject private sector networks to government 
monitoring. 

The report following the Cyberspace Policy Review was 
released in 2009 as a “clean-slate” review of structures and policies 
for cybersecurity. It is built upon the same central policy goals 
as prior initiatives: balancing security and privacy concerns with 
the promotion of innovation and economic prosperity; 
strengthening cybersecurity accountability and leadership; and 
encouraging collaboration between the public and private sectors 
on an international level. A significant departure from prior 
initiatives, however, is the Review’s recommendation that the 
White House take the lead on cybersecurity-related issues, to 
demonstrate to the nation and the global community that the 
United States’ approach to cyberspace protection is a serious 
response to threats. This divergence will be analyzed in Part 
II.A.3 of this Note. 

Congress, too, has begun to recognize the importance of 
cybersecurity as a national concern and has taken action on the 
legislative side. Senator Jay Rockefeller, for example, proposed 

on 

the Cybersecurity Act of 2009, which addresses the finding that 
the failure to protect cyberspace is one of the most urgent national 
security problems currently facing the United States and proposes 
a number of improvements to correct this deficiency, again 

OQ 

including public-private collaboration. The bill has provoked 
controversy since its introduction was publicized, and at the time 
of this writing, several other bills have been proposed and are 

on 

pending in Congress. 


Id. 


Cyberspace Policy Review, supra note 20, at iii. 

See id., at iii-v. 

Id. at V. 

Cybersecurity Act of 2009, S. 773, 111th Cong. (2009). 

*** See id. 

See Philip Shenon, Can Obama Shut Down the Internet?, The Daily Beast (June 
18, 2010), http://www.thedailybeast.eom/blogs-and-stories/2010-06-18/new-bill-would- 
let-obama-police-intemet-for-national-security-reasons; Richard Stiennon, Rockefeller's 
Cybersecurity Act of 2010: A Very Bad Bill, The Firewall Blog, Forbes (May 4, 2010, 
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The most significant proposition from this history of the 
nation’s cybersecurity policies is that while these initiatives have 
certainly evolved from the Clinton administration to the beginning 
of the Obama administration, several significant components have 
remained constant: the continued emphasis on collaboration 
between the public sector and private industry, the importance of 
information sharing, and the awareness of the privacy rights and 
civil liberties of the individual. Part II of this Note will discuss the 
role of these three elements in the context of the Google-NSA 
alliance, but in order to better understand this fledgling 
partnership, its component parts must be considered individually. 

B. The Google-NSA Alliance 

1. Background Information: Google and the NS A 
a) Google 

Google’s name derives from the word “googol,” which is the 
mathematical term for a 1 followed by 100 zeros as a reflection of 
the sheer volume of information that exists in the world.^° Despite 
the wide range of products currently offered under the Google 
name,^^ Google began as a search engine. Today, search still 
receives the greatest amount of engineering time among the 
Google products, because Google believes that the search engine 
can always be improved. This falls squarely in line with 
Google’s mission: “to organize the world’s information and make 

09 

it universally accessible and useful.” 

i. Google’s Privacy Policies and Data Collection Methods 

The expansion of Google’s services has led to increasing 
concerns about the privacy of Google’s individual users. Google’s 


12:43 PM), http://blogs.forbes.eom/firewall/2010/05/04/rockefellers-cybersecurity-act- 
of-2010-a-very-bad-bill. 

Corporate Information, Company Overview, Google, http://www.google.com/ 
corporate/index.html (last visited Apr. 10, 2010) [hereinafter Company Overview^. 

See More Google Products, Google, http://www.google.com/intl/en/options/ (last 
visited Apr. 10, 2010) (listing Gmail, Maps, Docs, Calendar, and Reader, among Google 
services). 

Company Overview, supra note 90. 

Id. 
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privacy policy applies to products, services, and websites offered 
by Google, Inc. or its affdiated companies and subsidiaries.^"^ 
Colleetively, these are known as Google’s “serviees,” and Google 
“post[s] supplementary privacy notices as needed to deseribe how 
specifie serviees proeess personal information.”^^ An individual 
user is asked to provide specific personal information to Google, 
such as a name, an e-mail address, and an account password for 
those serviees that require registration.^^ 

Google’s servers automatieally record “log information,” also 

07 

known as “server logs,” when a user accesses Google services. 
This information could include a user’s web request, browser type, 
Internet Protoeol (“IP”) address, date and time of request, browser 
language, and one or more “cookies” that may uniquely identify 
that user’s browser. The privacy policy also states that Google 
may also retain e-mail or other communications sent to the 
company in order to process user inquiries, respond to user 
requests, and improve its serviees.Google’s privacy policy 
applies to personal information provided to affiliated Google 
services on other sites. Thus, information provided to affiliated 
services is protected under Google’s privacy policy. However, the 
policy also cautions that affiliated web sites may have different 
privaey praetices and encourages users to review those sites’ 
policies.'™ 


Privacy Policy, Google (Mar. 11, 2009), http://www.google.com/intl/en/privacy_ 
archive.html [hereinafter Google Privacy Policy^ (follow “Version 03/11/2009”). 

Id. 

Id. 

Id. 

Id. A “cookie” is a small file containing a string of characters that is sent to a 
computer or other device uniquely identifying the user’s Internet browser when the user 
visits Google. Cookies are used to improve the quality of Google’s service, including 
improvements in search results and ad selection, storing user preferences, and tracking 
user trends, such as how users search. Cookies are also used in advertising services to 
help publishers and advertisers manage ads across the Internet, so when a user visits a 
website and views or clicks on an ad supported by Google’s advertising services, 
including Google sites using advertising cookies, one or more cookies may be set in that 
user’s Internet browser. What are Computer Cookies?, wiseGEEK, http://www. 
wisegeek.com/what-are-computer-cookies.htm (last visited Sept. 14, 2010). 

Google Privacy Policy, supra note 94. 

Id. 
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Google also emphasizes that personal information is proeessed 

for the limited purposes deseribed within their privacy policy 

“and/or the supplementary privacy notices for specific services,”''*^ 

as well as other additional purposes, including: “providing our 

services, including the display of customized content and 

advertising; auditing, research, and analysis in order to maintain, 

protect, and improve our services; ensuring the technical 

functioning of our network; protecting the rights or property of 

102 

Google or our users and developing new services.” 

The most significant take away from Google’s privacy policy 
is that it applies to Google services only. Google does not 
“exercise control over the sites displayed in search results, sites 
that include Google applications, products or services, or links 
from within our various services. 

ii. Information Sharing, Security, and Data Integrity 

Google only shares personal information provided by a user 
with other companies or individuals under limited 
circumstances.'^"^ First, a user must consent for the sharing of any 
sensitive personal information, and Google only provides the 
information to Google’s “subsidiaries, affiliated companies, or 
other trusted businesses or persons for the purposes of processing 
personal information.”"*^ These parties must agree to process this 
information based on Google’s instructions, in compliance with 
Google’s privacy policy, and any other appropriate security and 
confidentiality measures."*^ Google also shares personal 
information with outside companies where there is a good faith 
belief that: 

access, use, preservation, or disclosure of such 
information is reasonably necessary to (a) satisfy 
any applicable law, regulation, legal process or 
enforceable government request, (b) enforce 
applicable Terms of Service, including investigation 


101 

102 

103 

104 

105 


Id. 

Id. 

Id. 

Id. 

Id. 

Id. 
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of potential violations thereof, (c) detect, prevent, or 
otherwise address fraud, security, or technical 
issues, or (d) protect against harm to the rights, 
property or safety of Google, its users or the public 
as required or permitted by law.'^’^ 

Should Google be involved in a merger, acquisition, or sale of 
all or part of its assets, Google will “provide notice before personal 
information is transferred and becomes subject to a different 
privacy policy.” Google will also make certain that personal 
information involved in such transactions remains confidential. 
Certain aggregated, non-personal information (such as the numbers 
of users who searched a certain term or clicked on a particular 
advertisement) may be shared with third parties without identifying 
individual users.Google takes “security measures to protect 
against unauthorized access to or unauthorized alteration, 
disclosure or destruction of data . . . [including] internal reviews of 
data collection, storage and processing practices and security 
measures, as well as physical security measures to guard against 
unauthorized access to systems where [it] store[s] personal 

data.”''^ Google heavily restricts unauthorized access to personal 

112 

information. 

Personal information provided to Google is processed in 
accordance with the company’s privacy policies. Google only 
uses the information for its collected purpose, and Google reviews 
its storage, collection, and processing practices regularly to ensure 
that only the minimum amount of personal information needed to 
provide or improve Google services is collected, stored, and 
processed.Finally, Google will work with both individual users 


107 

108 


Id. 

Id. 

Id. 

Id. 

Id. 

See id. Google employees, agents, and contractors are bound by confidentiality 
obligations and subject to discipline for non-compliance, and these individuals require 
some access to personal information to develop, improve, and operate Google systems. 
Id. 


109 

110 
111 
112 


114 


See id. 
Id. 
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and regulatory authorities, if neeessary, to respond to formal 
written complaints regarding concerns involving the transfer of 
personal data.'^^ 

Several changes to Google’s privacy policy were implemented 

beginning October 3, 2010, and users were notified of these 

changes prior to the application of the new policyWhile the 

majority of the policy remains the same as discussed above, 

Google deleted twelve product-specific policies so that more 

Google products and services are governed by one privacy policy; 

and Google modified the overall policy to reduce redundancies and 

simplify the legal language to make it easier to understand. 

Google also created a web page detailing the specific additions and 

118 

omissions since the last update of the policy on March 11, 2009. 

Despite its robust privacy protection policy, Google was 
recently involved in a serious privacy breach. In May 2010, 
Google announced on its official blog and on its European Public 
Policy blog that some data collected by Google Street View cars 
for use in location-based products, such as Google Maps for 
mobile phones, mistakenly included “payload data” (information 
sent over a wireless network) from open wireless Internet 
networks, meaning those that are not protected by a password. 
Payload data includes bits of personal data sent over these 
unencrypted networks. The European Public Policy blog post 
originally stated that no payload data was collected from such 
networks; rather, only publicly broadcast information like the 
name of the wireless network and the MAC address, which is the 
unique number assigned to a device such as a wireless router, was 


Mike Yang, Trimming Our Privacy Policies, Official Google Blog (Sept. 3, 2010, 
9:00 AM), http://googleblog.blogspot.eom/2010/09/trimming-our-privacy-policies.html. 

Id.\ see also Privacy Policies Update-FAQ, Google, http://www.google.com/ 
privacy_faq_2010.html (last visited Oct. 2, 2010). 

'** Privacy Policy Update, Google, http://www.google.com/privacy_changes_2010. 
html (last visited Oct. 2, 2010). 

Alan Eustace, WiFi Data Collection: An Update, Official Google Blog (May 14, 
2010, 1:44 PM), http://googleblog.blogspot.eom/2010/05/wifi-data-collection- 

update.html; Peter Fleischer, Data Collected by Google Cars, Google European Public 
Policy Blog (Apr. 27, 2010, 1:01 PM), http://googlepolicyeurope.blogspot.com/ 
2010/04/data-collected-by-google-cars.html. 

Eustace, supra note 119. 
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121 

obtained. A flurry of criticism followed both the original 
announcement and the update including the admission of this 
mistake, and could affect the public’s perception of Google’s 
ability to keep personal data secure and private. In June 2010, it 
was announced that Connecticut Attorney General and Senator- 
elect Richard Blumenthal would be leading a thirty-state 
investigation into Google’s Wi-Fi gathering scandal. Several 
countries other than the United States, including Spain, have begun 

125 

their own inquiries. 

Notwithstanding this incident, Google is still ranked the 
number one most visited website in the world according to three- 
month Internet traffic rankings conducted by Alexa, a web 
information company that maintains a database of statistics and 
other related information about popular Web sites. 


Fleischer, supra note 119. 

See, e.g., Cecilia Kang, Growing Anger Over Google Street View Privacy Breach, 
Post Tech. Blog, Washingtonpost.com (May 20, 2010, 8:00 PM), http://voices. 
washingtonpost.com/posttech/2010/05/the_anger_is_growing_over.html; Cecilia Kang, 
Lawmakers Press FTC on Google Street View Privacy Lapse, Post Tech. Blog, 
Washingtonpost.COM (May 19, 2010, 3:19 PM), http://voices.washingtonpost.com/ 
posttech/2010/05/us_lawmakers_ press_ftc_on_inve.html; Xeni Jardin, Google: We 
Inadvertently Collected Personal Data Sent over Wifi Networks, Boing Boing (May 16, 
2010), http://www.boingboing.net/2010/05/14/google-yes-we-snoope.html; Jason 
Kincaid, Google Admits to Accidentally Collecting Personal Data With Street View Cars, 
TechCrunch (May 14, 2010), http://techcrunch.eom/2010/05/14/google-admits-to- 
accidentally-collecting-personal-data-with-street-view-cars; Ross Miller, Street View 
Cars Mistakenly Nabs Personal Data over WiFi Networks, Says Google, Engadget 
(May 14, 2010, 7:51 PM), http://www.engadget.eom/2010/05/14/street-view-cars- 
mistakenly-nabs-personal-data-over-wifi-says-g; Kim Zetter, Google Street View Cams 
Collected Private Content from WiFi Networks, Threat Level Blog, Wired (May 15, 
2010, 7:15 PM), http://www.wired.eom/threatlevel/2010/05/google-street-view-cams. 

David M. Halbfinger, Blumenthal Wins in Connecticut to Take Dodd's Senate Seat, 
N.Y. Times, Nov. 2, 2010, at P12, available at http://www.nytimes.eom/2010/ll/03/ 
nyregion/03ctsen.html. 

See, e.g., Scott Morrison, Connecticut to Lead Multi-State Probe of Google, Wall St. 
J., June 21, 2010, http://online.wsj.eom/article/SB1000142405274870489520457532080 
2269077146.html; Tom Krazit, Connecticut Heads up 30-State Google Wi-Fi Probe, 
CNET (June 21, 2010, 11:46 AM), http://news.cnet.eom/8301-30684_3-20008332- 
265.html. 

E.g., Raphael Minder, Google Sued in Spain over Data Collection, N.Y. Times, Aug. 
17, 2010, http://www.nytimes.eom/2010/08/18/technology/18google.html. 

Google.com Site Info, Alexa, http://www.alexa.com/siteinfo/google.com (last 
visited Nov. 21, 2010). 

™ Alexa Internet, Company Overview, Alexa, http://www.alexa.com/company (last 
visited Nov. 21, 2010). 
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Nevertheless, the amount of data involved in this Wi-Fi breach is 
relatively small compared to the volume of data the company 
handles on a routine basis. Google has also been subjected to 
negative publicity in the past without a significant deterrent effect 

1 90 

on its overall usage. 

b) The National Security Agency 

The National Security Agency was established, by order of 
President Harry S. Truman on November 4, 1952, in the wake of 
government work breaking enemy codes during World War II, 

130 

which was a significant contributing factor in winning the war. 
The establishment of the NS A followed several government 
studies determining how best to continue codebreaking work after 
World War II.The Central Security Service (“CSS”), 
established by Presidential Directive in 1972, includes the 
elements of the armed forces (Navy, Air Force, Army, Coast 
Guard, and Marine Corps) that engage in codemaking and 
codebreaking work along with the NSA.'^^ The CSS and the NS A 
members work together around the world to support both military 
and civilian leaders, as well as the White House, policy and 
decision makers, and troops at the front lines. The government- 
wide responsibilities of the NSA/CSS render it unique among the 
defense agencies because it provides products and services to the 
Department of Defense, government agencies, industry partners, 
the Intelligence Community, and select allies and coalition 
partners; it also delivers critical strategic and tactical information 
to war planners and fighters.Specifically, “NSA/CSS provides 


See Google Transparency Report: Traffic, Google, http://www.google.com/ 
transparencyreport/traffic (last visited Nov. 21, 2010). “This tool provides information 
about [Internet] traffic to [Google] services around the world. Each graph shows historic 
traffic patterns for a given country/region and service.” Id. 

See, e.g., Google Ranked “Worst" on Privacy, BBC News, June 11, 2007, 
http://news.bbc.co.Uk/2/hi/technology/6740075.stm. 

Frequently Asked Questions About NSA, Nat’l Sec. Agency § 1 (Jan. 15, 2009), 
http://www.nsa.gov/about/faqs/about_nsa.shtml [hereinafter FAQ About NSA^ (follow 
“How and When Was the National Security Agency Established?”). 

Id. 

Id. (follow “What Is the Central Security Service?”). 

Id. 

Id. 
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intelligence products and services to the White House, executive 
agencies (such as CIA and the State Department), the Chairman 
and Joint Chiefs of Staffs (JCS), military combatant commanders 
and component commands, military departments, multinational 
forces, and U.S. allies.” In addition, it provides Information 
Assurance products and services to government contractors and 

136 

users of national security information systems. 

The National Security Agency has two core missions: to 
protect the national security systems of the United States and to 
produce information about foreign intelligence. The NSA/CSS 
has two interconnected missions: Information Assurance (“lA”), 
through which the national security information systems and 
information of the United States are protected from theft or 
damage; and Signals Intelligence (“SIGINT”), which “gather[s] 
information that America’s adversaries wish to keep secret.”'^* 
SIGINT collects foreign intelligence from various sources, 
interprets it (often deciphering foreign languages, dialects, and 
security codes), and provides it to customers throughout the United 
States government, which uses the information to advance national 
objectives, including fighting terrorism and protecting military 
troops. Information Assurance prevents unauthorized access to 
classified or sensitive national security information, both by 
keeping information safe from unlawful access and ensuring that 
the information needed by our decision makers is available and 
reliable. These two missions assist the function of enabling a 
military operation known as Network Warfare.In carrying out 
these missions, the NSA/CSS defends vital networks, saves lives, 
and advances the alliances and goals of the United States. 
Privacy rights guaranteed by the Constitution and the laws of the 


Id. (follow “Who Are the NSA/CSS’ Customers?”). 

Id. 

See id.\ see also The NSA/CSS Mission, Nat’l Sec. Agency, http://www.nsa.gov/ 
about/mission/index.shtml (last visited May 2, 2010). 

FAQ About NSA, supra note 130 (follow “What Does the NSA/CSS Do?”). 

Id. (follow “What is Signals Intelligence?”). 

Id. (follow “What is Information Assurance?”). 

See id. (follow “Who Are the NSA/CSS’ Customers?”). 

Id. 
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United States remain strictly protected in the execution of these 
missions/"^^ 

2. Events Prompting the Formation of the Google-NSA 
Alliance 

On January 12, 2010, Google posted an announcement entitled 
A New Approach to China on its official blog/"^"^ The posting 
publicized the fact that in mid-December 2009, a “highly 
sophisticated and targeted attack on [Google’s] infrastructure 
originating from China . . . resulted in the theft of intellectual 
property from Google.Google highlighted that the attack did 
not specifically target Google; the blog post explicitly stated that 
“at least twenty other large companies from a wide range of 
businesses—including the Internet, finance, technology, media, 
and chemical sectors” were also targeted. Nevertheless, a primary 
goal of the Google attack was to gain access to the GmaiP"^^ 
accounts of Chinese human rights activists.Investigations thus 
far led Google to believe that this objective was not achieved 
because only two accounts appeared to have been accessed, and 
the “activity was limited to account information (such as the date 
the account was created) and subject line, rather than the content of 

148 

emails themselves.” 

Independent of this particular attack, but still relevant to 
Google’s investigation, was the discovery that dozens of Gmail 
accounts (from users in the United States, Europe, and China) 
belonging to advocates for human rights in China appeared to have 
been accessed by third parties on a routine basis.Google 


See David Drummond, A New Approach to China, Official Google Blog (Jan. 12, 
2010, 3:00 PM), http://googleblog.blogspot.eom/2010/01/new-approach-to-china.html 
[hereinafter Drummond,^ New Approach to China]. 

Id. 

Gmail is Google’s webmail service. See What Is Gmail?, Gmail Help, http:// 
mail.google.com/support/bin/answer.py?hl=en&answei=6554 (last visited Oct. 14, 2010). 
Id. 

Id. 

Id. 
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speculated that the accounts were accessed via “phishing” scams'^° 
or “malware”'^^ placed on a user’s computer, not through a 
security breach at Google. The information gained from this 
attack prompted Google to improve its systems for enhanced 

1 ST 

security on the part of Google and its user. 

Google recommended that users take precautions to protect 
themselves in cyberspace (such as deploying anti-virus and anti¬ 
spyware programs on their computers, installing patches for 
their computer operating systems,and updating their Internet 
browsers).The blog post cautioned against clicking on 
hyperlinks that appear in instant messages or e-mails, and sharing 
personal information like passwords; it also provided a link to 
further information on specific cybersecurity recommendations.'^^ 


See What Is a Phishing Scam?, wiseGEEK, http://www.wisegeek.com/what-is-a- 
phishing-scam.htm (last visited Oct. 14, 2010) (“A phishing scam is an identity theft 
scam that arrives via email. The email appears to originate from a legitimate source such 
as a trusted business or financial institution and includes an urgent request for personal 
information,” typically invoking a critical need to update an account immediately. When 
a user clicks on a link in the email, s/he is directed to an official-looking website, but any 
personal information provided to this site is sent directly to the scam artist.). 

Malware is an abbreviation used to refer to a malicious software program. See What 
is Malware?, WISEGEEK, http://www.wisegeek.com/what-is-malware.htm (last visited 
Oct. 14, 2010). 

Drummond, A New Approach to China, supra note 144. 

Id. 

Anti-virus software programs detect and remove computer viruses, and anti-spyware 
programs remove spyware software from computers. Spyware covertly gathers 
information about a user’s Internet use and transmits that information to a third party 
individual or company that uses it for marketing or other purposes. See Antivirus 
Software, Dictionary.COM, http://dictionary.reference.com/browse/antivirus+software 
(last visited May 2, 2010); Spyware, Dictionary.COM, http://dictionary.reference.com/ 
browse/spyware (last visited May 2, 2010); see also Do I Need a Spyware Blocker in 
Addition to Antivirus Software?, wiseGEEK, http://www.wisegeek.com/do-i-need-a- 
spyware-blocker-in-addition-to-antivirus-software.htm (last visited May 2, 2010). 

A computer’s operating system (abbreviated as “OS”) is a program “designed to run 
other programs on a computer.” What Is an Operating System?, wiseGEEK, 
http://www.wisegeek.com/what-is-an-operating-system.htm (last visited May 2, 2010). 
Software companies often issue “patches” between releases of operating systems, to 
temporarily correct a flaw in the software until a new version of the OS is released. See 
What Is a Software Patch?, wiseGEEK, http://www.wisegeek.com/what-is-a-software- 
patch.htm (last visited May 2, 2010). 

Drummond, A New Approach to China, supra note 144. 

See id. 
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Additional links were supplied for those interested in learning 

158 

more about these kinds of attacks. 

Google explained that it had shared the information about the 
attacks with the world due to the security and human rights 
implications of the information uncovered, but also because of its 
significance with regard to the global debate about freedom of 
speech. In light of China’s economic development over the past 
twenty years, Google.cn was launched in January 2006 with the 
belief that any discomfort on Google’s part in agreeing to censor 
some search results was substantially outweighed by “the benefits 
of increased access to information for people in China and a more 
open Internet.”'^*’ The recent attacks and the surveillance they 
uncovered, as well as China’s continued attempts to further limit 
free speech on the Internet, led Google to review the feasibility of 
its business operations in China. Google concluded that it was no 
longer willing to continue censoring its results on Google.cn, and 
announced that it would be discussing the possibility of operating 
an unfiltered search engine on Google.cn with the Chinese 
government. 

On February 4, 2010, the Washington Post reported that 
Google and the National Security Agency had partnered to analyze 


These links included a report to Congress by the U.S.-China Economic and Security 
Review Commission (“USCC”), a related analysis prepared for the USCC, a presentation 
on the GhostNet spying incident, and a blog written by Nart Villaneuve, a self-described 
“Internet Censorship Explorer.” See U.S.-China Econ. & Sec. Review Comm’n, 2009 
Report to Congress (November 2009), available at http://www.uscc.gov/ 
annual_report/2009/annual_report_full_09.pdf; Brian Krekel, Northrop Grumman, 
U.S.-China Economic and Security Review Commission Report on the Capability 
OF THE People’s Republic of China to Conduct Cyber Warfare and Computer 
Network Exploitation (Oct. 9, 2009), available at http://www.uscc.gov/ 
researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Rep 
ort_160ct2009.pdf; Tracking GhostNet: Investigating a Cyber Espionage 
Network, Information Warfare Monitor (Mar. 29, 2009), available at 
http://www.scribd.eom/doc/l 3731776/Tracking-GhostNet-Investigating-a-Cyber- 
Espionage-Network (describing GhostNet as a suspected cyber espionage network of 
over 1,295 infected computers in 103 countries, 30% of which are high-value targets, 
including ministries of foreign affairs, embassies, international organizations, news 
media, and NGOs); Nart Villaneuve, http://www.narrv.org (last visited Apr. 13, 2010). 

Drummond, A New Approach to China, supra note 144. 

Id. 

Id. 
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the cyberattacks, with the objective of better defending Google and 
its users from future attack. Though neither organization 
commented on the partnership, sources told the Washington Post 
that the alliance allows for the sharing of critical information 
without violating Google’s policies or laws that protect Americans’ 
privacy of online communications. Under the terms of the 
alliance, Google will not be sharing proprietary data and the NS A 
will not be viewing users’ searches or e-mail accounts. The 
article stated that Google approached the NS A shortly after the 
attacks, but due to the sensitivity of the alliance, the deal took time 
to be formulated.Any agreement would be the first instance 
where Google had entered a “formal information-sharing 
relationship” with the NSA; in 2008 the company stated that it had 
not cooperated with the NSA’s Terrorist Surveillance Program.'^^ 
Sources also said that the focus of the alliance is to better defend 
Google’s networks and prevent future attacks, as it would be 
nearly impossible to determine the specific origins of the recent 
attack after the fact.'^^ 

An NSA spokesperson said that the organization works with 
many “commercial partners and research associates to ensure the 
availability of secure tailored solutions for Department of Defense 
and national security systems customers,” but Google’s broad 
reach and global presence make it unique among the NSA’s 
clients.This alliance allows the NSA to help Google evaluate 
vulnerabilities in its hardware and software to assist in its defenses, 
determine the level of sophistication of the adversary, utilize the 
analysis performed by the NSA in prior attacks to help prevent 
future incidents, and learn what methods were used to infiltrate 
Google’s system. Google, in turn, may share details about the 
malicious code used to attack Google’s system, without revealing 


Ellen Nakashima, Google to Enlist NSA to Ward Off Attacks: Firm Won’t Share 
User Data, Sources Say, But Deal Raises Issue of Privacy vs. Security, Wash. Post, Feb. 
4, 2010, at Al. 

Id. 

Id. 

Id. 

Id. 

Id. 

Id. 
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proprietary data about the intelleetual property that was taken, as 
this disclosure likely would perturb shareholders and subject the 
company to public scrutiny and possibly legal action/^^ 

The New York Times reported a similar story about the Google- 
NSA alliance the following day, containing many of the same facts 
as the Washington Post article, as well as several significant 
additions.'™ The New York Times piece reported that Google was 
partnering with the NS A rather than DHS because the former has 
“no statutory authority to investigate domestic criminal acts,” 
while the latter has such authority.*^' By partnering with the NS A, 
then, Google can prevent the government from regulating its 
search engine, e-mail, and other services as part of the nation’s 
“critical infrastructure.”'^^ The New York Times called the alliance 
a “cooperative research and development agreement,” which is a 
specific category created under the Federal Technology Transfer 
Act of 1986 that describes a written agreement between a 
government agency and a private company to collaborate on a 
particular project with the goal of accelerating the 
commercialization of government-developed technology.'™ The 
article also revealed that Google was working with the Federal 
Bureau of Investigation to inquire into the attack, but the bureau 
made no public comment about the incident.Similarly, the NS A 
has never issued a formal comment on the existence of an alliance 
with Google or any of the details mentioned in the initial news 
releases. By contrast, the agency has issued official comments on 
at least one other occasion to correct inaccurate portrayals of its 
initiatives in the media. 


See John Markoff, Google Asks Spy Agency for Help with Inquiry Into Cyberattacks, 
N.Y. Times, Feb. 5, 2010, at A6, available at http://www.nytimes.eom/2010/02/05/ 
science/OSgoogle.html. 

Id. 

Id. 

Federal Technology Transfer Act of 1986, 15 U.S.C. § 3710 (2006). 

Markoff, supra note 170. 

Id.\ see infra Part II of this Note for a discussion of the commentary and criticisms 
that followed Google’s announcement. 

See Siobhan Gorman, U.S. Plans Cyber Shield for Utilities, Companies, WALL 
Street J., July 8, 2010, http://online.wsj.eom/article/NA_WSJ_PUB:SB100014240 
52748704545004575352983850463108.html; see also Tony Bradley, NSA "Perfect 
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In mid-February, The New York Times reported that the Google 
eyber attaeks had been “traeed to eomputers at two edueational 
institutions in China,” one of whieh has elose ties to the Chinese 
military.The artiele stated that the attaeks may have begun 
months earlier than previously believed and that the goals of the 
attaeks were to steal trade seerets and eomputer eodes, and to 
aeeess the e-mail aeeounts of Chinese human rights aetivists.'^* 
The two sehools involved were Shanghai Jiaotong University, 
home of one of China’s top eomputer seienee programs, and the 
Lanxiang Voeational Sehool, whieh was established with military 
support and is responsible for training some of China’s military 

. . 179 

eomputer seientists. 

Spokespeople from the sehools said that they had not heard that 
the attaeks on Google had been traeed to their eampuses. 
However, eomputer seeurity analysts theorize that the voeational 
sehools were used as a eover for government operations, that a 
third eountry may have been involved, and that the haeking was 
eriminal industrial espionage with the goal of stealing intelleetual 
property from Ameriean teehnology firms. Independent 
researehers monitoring Chinese information warfare eaution that 
China has adopted a “highly distributed approaeh to online 

espionage” whieh renders proof of the origin of an attaek nearly 

181 

impossible to diseover. 

On Mareh 22, 2010, Google posted an update on its offieial 
blog announeing that it would no longer eensor its seareh serviees 

Citizen ” Program Is Only One Piece of Cyber Security Puzzle, PC World (July 9, 2010, 
7:55 AM), http://www.pcworld.com/businesscenter/article/200768/nsa_perfect_citizen_ 
program_is_only_one_piece_of_cyber_security_puzzle.html (discussing the official 
response to the “Perfect Citizen” program as characterized by the Wall Street Journal, 
issued by a NSA spokesperson via e-mail). 

John Markoff & David Barboza, 2 China Schools Said to Be Tied to Online Attacks, 
N.Y. Times, Feb. 19, 2010, at Al, available at http://www.nytimes.com/ 
2010/02/19/technology/19china.html. 

Id. 

™ Id. 

Id. The theory suggesting involvement on the part of the Chinese government is 
corroborated by the documents made public by WikiLeaks on November 28, 2010. See 
Scott Shane & Andrew W. Lehren, Leaked Cables Ojfer Raw Look at U.S. Diplomacy, 
N.Y. Times, Nov. 28, 2010, http://www.nytimes.eom/2010/l l/29/world/29cables.html. 
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182 

on Google.cn. “[TJhese attacks and the surveillance they 
uncovered—combined with attempts over the last year to further 
limit free speech on the web in China including the persistent 
blocking of websites such as Facebook, Twitter, YouTube, Google 
Docs and Blogger”—led Google to cease censorship of search 
results on Google.cn. From March 22 onward, visitors to 
Google.cn were automatically redirected to Google.com.hk and 
received the same uncensored search results (including Google 
Search, Google News, and Google Images) as users of the Hong 
Kong Google site. The site was presented in simplified Chinese 
designed for users in China, but the search results were delivered 
via Google servers in Hong Kong.'^"^ 

Google argued that the switch to Google.com.hk was a legal 
and appropriate way to allow further access to Google services in 
mainland China. However, the Chinese government continued 
to insist that Internet censorship was a non-negotiable legal 
requirement of operating in their country. Google was thus aware 
that the Chinese government could block access to Google’s web 
services at any time. Accordingly, a new web page was created 
to detail which Google services are available in China for any 
given date and time.^^^ 

Several days later, the large Internet domain registration 
company Go Daddy changed its policy and began discontinuing 
new “.cn” domain registrations in China. Though Go Daddy 
said that the decision to discontinue selling .cn names had nothing 


David Drummond, A New Approach to China: An Update, OFFICIAL Google Blog 
(Mar. 22, 2010, 12:03 PM), http://googleblog.blogspot.eom/2010/03/new-approach-to- 
china-update.html [hereinafter Drummond, A New Approach to China: An Update]. 

Id. 

Id. 

Id.\ see also Miguel Helft & David Barboza, Google Will Redirect China Users to 
Hong Kong Site, N.Y. TIMES, Mar. 23, 2010, at Al, available at http://www. 
nytimes.com/2010/03/23/technology/23google.html. 

See Helft & Barboza, supra note 185. 

Drummond, A New Approach to China: An Update, supra note 182. 

*** See What is Domain Registration?, wiseGEEK, http://www.wisegeek.com/what-is- 
domain-registration.htm (last visited May 2, 2010). 

*** Geoffrey A. Fowler, What Does it Cost Go Daddy To Leave China?, Wall St. J. 
Blog, Digits (Mar. 24, 2010, 11:15 PM), http:/^logs.wsj.com/digits/2010/03/24/what- 
does-it-cost-go-daddy-to-leave-china. 
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to do with publicity or with Google’s movement of searehes into 
Hong Kong,'^° movement by these two major eompanies out of 
China elearly demonstrates China’s serious and eontinual threat to 
United States eyberseeurity. This is espeeially evident beeause in 
June 2010, Google’s lieense to operate in China was at risk of not 
being renewed. On June 28, 2010, Google announeed on its 
offieial blog that it would no longer automatieally direet users to 
the uneensored Hong Kong site; rather, in an apparent eompromise 
to appease the Chinese government, users of the Google.en site 
saw a page that allowed them to proeeed to the Hong Kong site if 
they wished.An additional blog update on July 9, 2010 
eonfirmed that web seareh and other Google produets remain 

1 07 

available to users in China. 

These events following the Google attaeks are pertinent to the 
U.S. government’s attempts to balanee its own seeurity needs with 
the privaey rights of the individual Internet user. China represents 
one extreme of the speetrum, with a high level of government 
involvement in eyberspaee seeurity, sueh that the rights of the 
individual have been largely stifled. As a result, private 
eompanies like Google and Go Daddy have deeided to diseontinue 
or modify their serviees there.The other extreme would entail 
little to no government involvement in the seeurity of eyberspaee, 
whieh surely would lead to inereased eyberattaeks. Part II of this 
Note will diseuss the effeetiveness of the eurrent eyberseeurity 
strategy artieulated by the U.S. government, in the eontext of 


Id. Christine Jones, General Counsel of the Go Daddy Group, made these 
statements during an interview following her testimony at a hearing before the 
Congressional-Executive Commission in Washington, D.C. Id. 

*** David Drummond, An Update on China, OFFICIAL Google Blog (Jun. 28, 2010, 
10:45 PM), http://googleblog.blogspot.eom/2010/06/update-on-china.html [hereinafter 
Drummond, An Update on China]; Keith B. Richburg, Google Compromise Pays Off 
with Renewal of License in China, Wash. Post, July 10, 2010, http://www. 
washingtonpost.eom/wp-dyn/content/article/2010/07/09/AR2010070902137.html; see 
also China’s Renewal of Google’s License Offers Hope of Resisting Censorship, Wash. 
Post, July 14, 2010, http://www.washingtonpost.com/wp-dyn/content/article/ 

2010/07/13/AR2010071305390.html. 

See Drummond, Update on China, supra note 191 (last updated July 9, 2010). 
Drummond, A New Approach to China: An Update, supra note 182. 

See supra Part LB.2. 


194 
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whether the Google-NSA allianee represents continuity and is 
demonstrative of its effectiveness. 


II. If Google Is Approaching the NSA to Protect Itself, Are 
Current Government Policies Proving Ineffective? 

As discussed in Part LB of this Note, very few details have 
been made public about the Google-NSA alliance. This Part will 
discuss the commentary and criticisms that have followed the 
announcement of the partnership. This Part will also present two 
competing arguments: that the formation of the alliance reveals the 
ineffectiveness of the government’s cybersecurity regime and 
highlights the shortcomings of existing policies; and that the 
alliance represents the type of partnership envisioned by current 
cybersecurity initiatives and demonstrates the effectiveness of 
these policies. 

A. The Google-NSA Alliance Is a Marked Departure from Current 

Policy and Demonstrative of its Ineffectiveness 

Privacy is at the heart of the discussion about the Google-NSA 
alliance. Despite the benefits of the alliance discussed in Part II.B, 
privacy organizations such as the American Civil Liberties Union 
(“ACLU”) and the Electronic Privacy Information Center^^^ have 
heavily criticized Internet privacy policies generally, as well as 
Google’s policy specifically, for its insufficient protection of users. 
These concerns play an important role in view of the Google-NSA 
alliance as a significant departure from the government’s stated 
cybersecurity policies. 

1. The NSA Is the Designated Government Agency 

Since 2002, DHS has been at the forefront of national security 
matters, and was designated as the Lead Agency for the technology 
sector in the National Infrastructure Protection Plan.'^^ By 


See Technology and Liberty, Am. Civil Liberties Union, http://www.aclu.org/ 
technology-and-liberty (last visited Sept. 15, 2010); see also Cybersecurity Privacy 
Policy Implications, Elec. Privacy Info. Ctr., http://epic.org/privacy/cybersecurity/ 
default.html (last visited Sept. 15, 2010). 

2006 NIPP, supra note 20, at 3. 
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contrast, the NS A is not mentioned by name in the NIPP as a 
Seetor-Speeifie Ageney for any eritieal infrastrueture seetor.'^^ Its 
inelusion as the de faeto lead government ageney in its partnership 
with Google is thus a signifieant departure from stated government 
polieies regarding CIKR proteetion. Though DHS was designated 
as the Seetor-Speeifie Ageney for both the Information 
Teehnology seetor and Communieations seetor, the NIPP indieates 
that organizations like the NS A that “have unique responsibilities, 
fimetions, or expertise in a partieular CI[]KR seetor” may still 
play an important, but seeondary role in CIKR proteetion efforts 
without Seetor-Speeifie Ageney designation. Speoifieally, sueh 
organizations “will [ajssist in assessing risk, prioritizing CI[]KR, 
and enabling proteetive aetions and programs within that seetor; 
[sjupport the national goal of enhaneing CI[]KR proteetion . . . 
and [ejollaborate with all relevant seeurity partners to share 
seeurity-related information within the seetor, as appropriate.”'^^ 

Experts in this field also see a broader role for the NS A in 
proteeting the nation’s eritieal infrastrueture. Larry M. Wortzel, 
the Viee Chairman of the U.S.-China Eeonomie and Seeurity 
Review Commission, stated in his testimony before the Senate 
Judieiary Subeommittee on Terrorism and Homeland Seeurity that 
the NS A should be at the forefront of eyber efforts, as opposed to 
DHS or another government ageney, for several signifieant 
reasons.^"*' Wortzel eited the NSA’s “strong institutional eulture of 
adherenee to the Eoreign Intelligenee and Surveillanee Aet” and 
emphasized that ageney personnel are unique from other members 
of the intelligenee eommunity beeause in addition to being “skilled 
and superbly trained,” they “are trained to proteet the privaey and 


See id. 

Id. at 22. 

Id. 

Preventing Terrorist Attacks and Protecting Privacy in Cyberspace Before the 
Senate Judiciary Subcomm. on Terrorism and Homeland Security, 111th Cong. (2009) 
(statement of Larry Wortzel, Vice Chairman, U.S.-China Economic and Security Review 
Commission) [hereinafter Wortzel Testimony^ available at http://judiciary.senate.gov/ 
hearings/testimony .cfm? id= 4169&wit_id=8316. 

Wortzel Testimony, supra note 200; see also Foreign Intelligence Surveillance Act, 
50 U.S.C. §§ 1801-1885 (2006); Foreign Intelligence Surveillance Act (FISA), Ctr. for 
Nat’l Sec. Studies, http://www.cnss.org/fisa.htm (last visited Sept. 15, 2010). 
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rights of American persons” and the NSA is the only agency with 
“decades of experience . . . conducting operations in the electronic 
and cyber realms.” The NSA also has “broad international 
contacts with allies and friendly govemments[,] . . . wide contacts 
in the private sector. . . [and] a cadre of highly skilled linguists able 
to work in the languages associated with the origin of the foreign 
intrusions. 

Mike McConnell, director of the NSA under the Clinton 
administration, also supports the NSA’s leadership within the 
realm of cybersecurity.^°"^ McConnell asserts in an article 
published in the Washington Post that the NSA “is the only agency 
in the United States with the legal authority, oversight, and budget 
dedicated to breaking the codes and understanding the capabilities 
and intentions of potential enemies.” Google’s decision to 
approach the NSA rather than DHS for cybersecurity assistance is 
a step down the path that Wortzel and McConnell espouse. 

Though individuals with intimate knowledge of cybersecurity, 
including McConnell and Wortzel, have voiced their support for 
the NSA’s role as the lead government agency for cybersecurity, 
there is considerable opposition to this view. The NSA is often 
characterized as a “spy agency.” A blog post responding to 
Mike McConnell’s Washington Post article^*’^ described the NSA 
as “the ultra-secretive government spy agency that is responsible 
for both listening in on other countries and for defending classified 
government computer systems.” This critique supports the 
NSA’s involvement in helping private companies enhance their 
security systems, as some companies already do, and as 


Wortzel Testimony, supra note 200. 

Id. 

Mike McConnell, We’re Losing the Cyber-War, Here’s the Strategy to Win It, 
Wash. Post, Feb. 28, 2010, at BOl, available at http://www.washingtonpost.com/wp- 
dyn/content/article/2010/02/25/AR2010022502493_pf.html. 

Id. 

Ryan Singel, Cyberwar Hype Intended to Destroy the Open Internet, Threat Level 
Blog, Wired (Mar. 1, 2010, 6:56 P.M.), http://www.wired.com/threatlevel/ 

2010/03/cyber-war-hype; see also Cybersecurity Is Not Your Gig, NSA!, infra note 223. 
See McConnell, supra note 204. 

Singel, supra note 206. 
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McConnell has advocated?®^ Opponents of the NSA’s 
involvement in proteeting private eorporations believe that these 
eompanies “have no business letting the NS A into their networks 
or giving the NS A information that they won’t share with the 
Ameriean people” and appear to draw an arbitrary line at large 
eompanies like Google. This eritique denies that a “eyberwar” 
exists, and that therefore, the involvement of the NS A, the “spy 
ageney,” will not help to proteet against eyberwar attaekers; rather, 
it will only threaten the openness of the Internet. This view 
suggests that its proponents are afraid of the strength and power of 
large eorporations and therefore ehoose to remain ignorant of 
legitimate eyber threats. 

2. Information Sharing: Problems, Questions, and Coneerns 

Google’s announeement that it was targeted in a eyber attaek 
was ineredibly signifieant due to its size and high profile. As 
diseussed above, however, Google and the NS A diselosed little 
about the details of their subsequent partnership. Aeeording to 
both the NIPP and a report published by the Government 

Aeeountability Offiee (“GAO”) in Mareh 2009, information 

211 

sharing is an integral part of the strategy to seeure eyberspaee. 
The term “information” ineludes publie awareness of the national 
seeurity risks assoeiated with eyberspaee as well as the knowledge 
of intrusions that are inereasingly likely under the eurrent seeurity 
regime. The GAO report reeommended an aggressive 
awareness eampaign to inerease the knowledge of both leaders and 
the general publie that the nation is regularly subjeeted to 

213 

eyberattaeks. 

The GAO report also reeommended White House 
aeeountability and responsibility for the leadership and oversight 


See 2006 NIPP, supra note 20, at 14; see also U.S. Gov’t Accountability Office, 
National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen 
THE Nation’s Posture (Mar. 10, 2009) [hereinafter GAO], available at 
http://www.gao.gov/new.items/d09432t.pdf. 

GAO, supra note 211, at 9. 

Id. 
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214 

of national cybersecurity policy. While the Obama 

administration has taken steps toward improvements in 

eyberseeurity, the White House is eonspieuously absent from the 

Google-NSA allianee, and White House leadership is never 

mentioned in the text of the National Infrastrueture Proteetion 

Plan. The NIPP dietates the appointment of a Sector-Speeifie 

Agency for each CIKR sector, with DHS at the forefront of eyber 

efforts, and ongoing information sharing efforts between publie 

and private entities within eaeh seetor. By eontrast, the GAO 

report argues that the White House, rather than a government 

ageney, must assume a leadership role in order for eonseiousness 

to be raised regarding national eyberseeurity eoneerns, both “to be 

suecessful and to send the message to the nation and eyber eritieal 

infrastrueture owners that eyberseeurity is a priority. The 

report states that without aeeountability, information sharing ean 

be jeopardized beeause there is no authority implementing and 

employing ineentives to eneourage aetion, a large part of whieh is 
218 

information sharing. 

The diseussion of Google’s Privaey Poliey in Part LB of this 
Note raises additional questions about information sharing. The 
information provided to Google by a given user is supposedly only 

used “for the purposes described in [its] Privacy Policy and/or the 

2 1 0 

supplementary privaey policy notices for specifie servioes[,]” 
with several additional purposes listed. One such supplement, 
“[pjroteeting the rights or property of Google or our users,” fits 
squarely in the eontext of the China eyberattaeks. Google’s 
intelleetual property was stolen as a eonsequenee of these 
attaeks, and it follows that the “rights or property” addition to 


GAO, supra note 211, at 8. 

See, e.g.. Cyberspace Policy Review, supra note 20; Remarks by the President, 
supra note 20; see also Gov’t Accountability Office, Cybersecurity: Progress 
Made But Challenges Remain in Defining and Coordinating the Comprehensive 
National Initiative (Mar. 2010), available at http://www.gao.gov/new.items/ 
dl0338.pdf. 

See supra Part LA. 

GAO, supra note 211, at 8. 

Id. 

Google Privacy Policy, supra note 94. 

Id. 

Drummond, A New Approach to China, supra note 144. 
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the privacy policy would allow the personal information of Google 
users to be turned over to the NSA in conjunction with any 
investigation conducted by the alliance. 

Though Google says it will ask for consent before sharing 
personal information with other companies or individuals outside 
of Google, one of the specifically enumerated circumstances for 
sharing personal information is applicable in large part to the 
Google-NSA alliance. Google will share personal information 
when there is 

a good faith belief that access, use, preservation, or 
disclosure of such information is reasonably 
necessary to (a) satisfy any applicable law, 
regulation, legal process or enforceable government 
request, (b) enforce applicable Terms of Service, 
including investigation of potential violations 
thereof, (c) detect, prevent, or otherwise address 
fraud, security, or technical issues, or (d) protect 
against harm to the rights, property, or safety of 

Google, its users or the public as required or 

222 

permitted by law. 

The language “enforceable government request” suggests that 
if the NSA were to request personal information about Google 
users as a part of its investigation into the cyberattacks, Google 
could, and very well might, provide it. Organizations such as the 
American Civil Liberties Union and the Electronic Privacy 
Information Center vigorously criticize the NSA’s involvement in 
cybersecurity, especially in the context of the alliance with Google 
because so few details have been publicized. However, this type 


Google Privacy Policy, supra note 94 (emphasis added). 

See, e.g.. Cybersecurity Is Not Your Gig, NSA!, Blog of Rights: Official Blog of 
THE Am. Civil Liberties Union (Feb. 9, 2010), http://www.aclu.org/blog/national- 
security-technology-and-liberty/cybersecurity-not-your-gig-nsa; EPIC Seeks Records on 
Google-NSA Relationship, ELEC. PRIVACY INFO. Ctr. (Feb. 4, 2010), 

http://epic.org/2010/02/epic-seeks-records-on-google-n.html; EPIC Sues NSA to Force 
Disclosure of Cyber Security Authority, Elec. Privacy Info. Ctr. (Feb. 4, 2010), 
http://epic.org/2010/02/epic-sues-nsa-to-force-disclos.html; U.S. Security Agencies 
Begging for a Cybersecurity “Cold War, ” Blog of Rights: Official Blog of the Am. 
Civil Liberties Union (Mar. 3, 2010), http://www.aclu.org/blog/national-security- 
technology-and-liberty/us-security-agencies-begging-cybersecurity-cold-war. 
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of criticism would exist regardless of the particular government 
agency leading national cyberspace proteetion efforts and the fact 
still remains that cyberattacks are continually being launehed 
against the United States. 

3. The Alliance Is Answering a Call for Change 

The history of cybersecurity policy in the United States as 
discussed in Part LA of this Note demonstrates the nation’s 
increasing dependence on cyber-based systems in many of its 
CIKR sectors. The government remains aware that “traditional 
telecommunications and Internet networks eontinue to eonverge, 
and other infrastructure sectors are adopting the Internet as a 
primary means of interconnectivity.” Many of the most recent 
initiatives call for a change in leadership structure on the 
government side of the public-private partnership, and the Google- 
NSA allianee is aecomplishing this goal with the NSA’s 
assumption of leadership as the public sector partner in the 
eollaboration. 

While a large portion of the most recent cybersecurity 
initiative, the Cyberspace Policy Review released in late 2009, 
remained consistent with previous government cyberseeurity 
policies, one recommendation was a relatively new and notable 
change: a call for White House leadership. Like the NSA’s 

leadership in the Google-NSA alliance, this recommendation 
marks a significant departure from previous initiatives, which 
generally called for Sector-Specifie Agencies to assume leadership 
roles for CIKR protection of individual sectors. The Cyberspaee 
Policy Review goes so far as to say that “[t]he status quo is no 
longer acceptable . . . federal leadership and accountability for 
cybersecurity should be strengthened . . . [by] clarifying the 
cybersecurity-related roles and responsibilities of federal 
departments and agencies.” Such statements could be 
considered an admission that the previous initiatives have been 


Cyberspace Policy Review, supra note 20, at iii. 

Id. at V. 

See, e.g., 2006 NIPP, supra note 20; PDD 63, supra note 10; HSPD-7, supra note 

20. 

Cyberspace Policy Review, supra note 20, at iii. 
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unsuccessful. At a minimum, this proclamation calls for changes 
in eybersecurity poliey, and the Google-NSA allianee might well 
be a ehange in the right direetion. Despite the few available details 
about the allianee, the NSA’s signifieant role in the eollaboration 
marks a shift from the established cyberseeurity functions of 
federal agencies. 

Related to this change is the faet that the National 
Infrastrueture Proteetion Plan tasks the Department of Homeland 
Seeurity with the primary responsibility for cyberseeurity poliey, 

as evidenced by its designation as the Sector-Speeifie Ageney for 

228 

the Teleeommunieations and Information Technology sectors. 

As indicated in the Cyberspaee Poliey Review, however, there is a 
eyber dimension aeross CIKR seetors due to inereased use of the 
Internet as a primary source of interconneetivity. The eall for a 
ehange in cyberseeurity policy leadership is a response to the 
pereeived ineffeetiveness under the leadership of DHS and the 
inereased eonvergenee of sectors around the eyber dimension. In 
May 2009, President Obama stated that for eybersecurity purposes, 
“federal ageneies have overlapping missions and don’t eoordinate 
and eommunieate nearly as well as they should—with eaeh other 

990 

or with the private seetor.” 

4. The Government Is Not Keeping Paee With Its Plan 

The Cyberspaee Poliey Review issued by the White House 
outlined a timeline for notions to be taken in the near and long term 
to improve oyberseourity poliey. Melissa Hathaway, the former 
Senior Director for Cyberspace, served under both the Bush and 
Obama administrations and publioly expressed oonoern prior to the 
Google attacks that the government was not meeting the ohallenges 
identified in the Cyberspaee Poliey Review. The oountry has 


See 2006 NIPP, supra note 20, at 3. 

See Cyberspace Policy Review, supra note 20, at iii. 

Remarks by the President, supra note 20. 

See Cyberspace Policy Review, supra note 20, at 37-38. 

Melissa Hathaway, Government Must Keep Pace with Cyberseeurity Threats, Info. 
Sec. Mag. (Oct. 2009), available at http://searchsecurity.techtarget.com/magazine 
Feature/0,296894,sidl4_gcil370150_meml,00.html. Among Ms. Hathaway’s 
accomplishments are the following: leading the 60-day interagency review of 
cyberseeurity policies and programs across the federal government, overseeing the 
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increasingly relied on technology in day-to-day activities, and 
Hathaway writes that the United States has “not invested in the 
resilience neeessary to assure our businesses ean operate in a 
degraded environment.” Reliance on remote aecess and the 
reduetion in costs and manpower needs as a result of networked 
control systems have led to weaknesses that opponents ean 
exploit. Aeeordingly, Hathaway states that the need for 
inereased eyberseeurity has not been adequately addressed and that 
any government response should be “focused, aggressive, and 
well-resoureed.” 

Hathaway’s article also suggests that eollaborative efforts 
between various agencies should “foster innovation and enable our 
information and eommunications infrastructure to fuel the nation’s 
economie growth.” While she applauds some reeent efforts as 
“first steps toward making real and lasting progress” in seeuring 
cyberspaee, bold steps and inereased information sharing are still 
required to proteet the nation’s networks. Even Mike 
MeConnell, in his strongly worded support of the NSA’s 

leadership wrote that “[t]he time to start [protecting cyberspace] 

228 

was yesterday.” 

B. The Google-NSA Alliance Reflects the Effectiveness of Current 
Government Cybersecurity Policy 

Several key elements of the Google-NSA allianee align with 
existing government initiatives concerning cybersecurity. 
Specifically, despite the dearth of publicized details about the 
alliance, it fits within the framework of a publie-private 


development of the Cyberspace Policy Review, helping build the Comprehensive 
National Cybersecurity Initiative (“CNCI”) under the Bush administration, leading 
development of a cross-agency budget submission to support CNCI, establishing 
relationships in Congress to gain bipartisan support for cybersecurity initiatives, 
testifying and briefing with legislators over 150 times, and consulting with DoD and the 
intelligence community in her capacity as a former principal at Booz Allen Hamilton. Id. 

Id. 

See id. 

Id. 

Id. 

Id. 

McConnell, supra note 204. 
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partnership, which the government has identified as the key to 
CIKR protection. The alliance is voluntary, as Google approached 
the NS A, not the other way around. Finally, the alliance represents 
a step towards improving cybersecurity practices by addressing the 
existing lack of awareness as articulated in the National Strategy to 
Secure Cyberspace. The combined power and resources of the two 
organizations could result in new standards for cybersecurity 
protection and will surely increase public awareness of the cyber 
threat. 

1. The Alliance Can Be Characterized as a Public-Private 
Partnership 

Since the issuance of President Clinton’s PDD-63 directive in 
1998, technology has been considered part of the critical 
infrastructure of the United States, and accordingly is best 
protected through a collaborative relationship between the public 
and private sectors. Government initiatives between 1998 and 
the present day cite the public-private partnership as the key to 
securing the nation’s critical infrastructure.^"^^ The National 
Infrastructure Protection Plan provides that Sector-Specific 
Agencies are “responsible for collaborating with private sector 
security partners and encouraging the development of appropriate 

941 

information-sharing and analysis mechanisms within the sector.” 

In the context of the alliance, the NSA fills the role of a Sector- 
Specific agency for technology and cyber systems in collaborating 

242 

with a private sector partner, Google. 

According to the articles written about the alliance, Google’s 
motive for soliciting assistance from the NSA was to assess risk 
and help defend against future cyberattacks. Google’s 
prominent role in the cyber sector could result in the sharing of 


PDD 63, supra note 10. 

See supra Part LA. 

2006 NIPP, supra note 20, at 19. 

The NIPP designates DHS, not the NSA, as the lead agency for the technology 
sector. See supra Part II.B.2. 

See, e.g., Nakashima, supra note 162 (stating that the partnership’s objective was to 
better defend Google). 
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security-related information within the sector, which will be 
discussed later in this Note.^'^'^ 

2. The Alliance Was Formed Voluntarily 

As reported in both The New York Times and the Washington 
Post, Google approached the NS A for assistance, not the other way 
around. The National Infrastructure Protection Plan specifically 
states that “[pjrivate sector owners and operators are responsible 
for taking action to support risk management planning and 
investments in security . . . The level of investment in 

security depends on a risk versus consequence analysis. First, 
private sector enterprises consider what is known about the risk 
environment, and in the cyber world, the answer is usually very 

248 

little due to the dynamic nature of the cyber risk environment. 
The federal government, however, can help inform critical security 
investment decisions and operational planning,^"^^ which is exactly 
the position that the NS A has taken with Google. 

Private companies also consider what is economically viable in 
a competitive marketplace or an environment of limited 
resources. Owners and operators in the private sector often 
“rely on government entities to address risks outside of their 
property or in situations in which the current threat exceeds an 

9S1 

enterprise’s capability to protect itself or mitigate risk.” 
Google’s decision to pull out of China is a clear indication that the 
threat was substantial, and accordingly it has enlisted the NS A 
because the China threat was significant enough to lead Google to 
at least question its capability to protect itself 


See discussion infra Part II.B.3. 

2006 NIPP, supra note 20, at 26. 

Id. 

Id. 

See Cybersecurity, Innovation and the Internet Economy, 75 Fed. Reg. 44216 (July 
28, 2010). 

2006 NIPP, supra note 20, at 26. 

See id. 

Id. 
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3. The Alliance Represents a Step Toward Addressing Cyber 
Vulnerabilities and Best Practices 

The pairing of the NS A and Google aligns with the 
government’s goal of implementing protection programs across the 
various CIKR sectors.^^^ The NIPP states that “[t]he risk 
assessment and prioritization activities within each sector will help 
identify requirements for current protective programs and 
shortfalls for future efforts.” Even if the findings and solutions 
implemented as a result of the alliance are never released to the 
public, they can be shared within each individual sector as “best 
practices” and to improve protective actions, which “involve 
measures designed to prevent, deter and mitigate the threat; reduce 
vulnerability to an attack or other disaster; minimize consequences; 
and enable timely, efficient response and restoration in a post- 
event situation.” 

If no other details of the alliance are made available, the 
cyberattacks on Google and capabilities of the NSA, discussed in 
Part I, support the argument that Google approached the NSA to 
utilize its security expertise in furtherance of these and other goals. 
Publicizing the attacks is an admission of Google’s vulnerabilities 
to attacks on its infrastructure, and by partnering with the NSA it 
wishes to minimize consequences for its users and work toward 
elimination of the threat. 

The partnership was announced within a month after Google 
publicly announced that a cyberattack had occurred. This quick 
response is timely and efficient, and constitutes a measure to 
restore both the company’s own confidence in its security 
measures and the trust and support of Google users worldwide. 
Regardless of the final outcome of the alliance, it addresses current 
cyber vulnerabilities, and could result in the application of a set of 
best practices to be shared within the cyber and technology sectors. 


See id. at 45^8. 

Mat 45. 

Id. 

The Google attacks were announced on January 12, 2010, and the Washington Post 
article appeared on February 4, 2010. See Drummond, A New Approach to China, supra 
note 144; Nakashima, supra note 162. 
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4. The Alliance Promotes Information Sharing Between the 
Public and Private Sectors 

The interdependence between the public and private sectors is 
readily apparent in the technology sector and beyond. Much of the 
nation’s critical infrastructure, including transportation systems, 
communication networks, and the national power grid, depends 
upon the ability of networks in both the public and private sectors 
to share information in cyberspace. The Google-NSA 
partnership can allow for the sharing of critical information to 
analyze the recent attack on Google without infringing privacy 
rights.^^^ The alliance is a real-world manifestation of a stated 
policy goal of the United States and could allow the country “to 
develop a unified and coordinated approach to defending our 
nation’s assets.” One proponent of this course of action believes 
that specifically, “[t]his alliance will help Google better defend its 
intellectual property critical to our nation’s economy while 
providing the NS A key insight into the attack methods and motives 
of the attackers. 

Mike McConnell wrote in an article in the Washington Post 

that “an effective partnership with the private sector [must be 

formed] so information can move quickly back and forth from 

public to private and classified to unclassified—to protect the 

nation’s critical infrastructure.” While he acknowledges that 

arrangements like this alliance “will muddy the waters between the 

traditional roles of the government and the private sector,” 

McConnell states that the Google-NSA partnership “point[s] to the 

kind of joint efforts—and shared challenges” that are likely to be 
261 

seen in the future. 


Google, The NSA, and the Increasing Interdependence Between the Public and 
Private Sectors, Fed. News Radio, Feb. 18, 2010, http://stage-v4.federalnewsradio. 
com/?sid=1891928&nid=293. 

Id. 

Id. 

See id. 

McConnell, supra note 204. 
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Id. 
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III. Problems Across Sectors Further Suggest that 

Current Cybersecurity Policy Needs Improvement 

The public-private partnership has been a cornerstone of 
critical infrastructure protection for over a decade. In its basic 
structure, the Google-NSA alliance fits within the framework of 
the public-private partnership; a government entity and a private 
corporation collaborating to better protect cyberspace. The 
alliance preserves several of the foundation principles of cyber 
policy from 1998 to the present, most notably the basic structure of 
the public-private partnership. In addition, the initiative taken by 
Google, the private sector counterpart, to work with the NS A as a 
government partner comports with the NIPP, which is 
demonstrative of the effectiveness of the policy. Regardless of 
whether the alliance ultimately proves successful, it addresses 
current cyber vulnerabilities, and the relative success or failure of 
this partnership could help in shaping best practices to be shared 
within the cyber and technology sectors. Finally, endorsements 
from two individuals (Wortzel and McConnell) with significant 
knowledge and expertise in cybersecurity and the current 
initiatives, can be considered a strong indication that the alliance is 
not a significant departure from current policies. 

Though the Google-NSA alliance retains some important 
elements of the current cybersecurity posture, its differences from 
the policies in force are much more significant. First, while DHS 
rather than the NS A has traditionally served as the lead 
government agency in critical infrastructure protection within the 
technology sector, the NS A functions as the de facto lead 
government agency in the Google-NSA alliance. The alliance, 
then, allows the NS A to fill a considerably broader role than 
previously provided for it in the NIPP and significantly departs 
from the current policies. 

Cyber systems also transcend individual CIKR sectors due to 
their broad reach, as indicated by the support of the NSA’s 
leadership by several individuals with highly specialized 
knowledge of cyberspace and national security. Proponents of this 
course of action urge that the NS A, rather than DHS, assume a 
leadership role in cyberspace protection because protective efforts 
would not be confined to a given sector. However, as presently 
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drafted, existing policies do not contemplate such a role for the 
NS A. Moreover, substituting the NS A for DHS would not 
significantly disturb the framework of the public-private 
partnership; it simply substitutes one government actor for another. 
However, because the current regime tasks only DHS with 
cyberspace protection, Google’s choice to partner with the NS A 
represents a departure from the type of public-private partnership 
contemplated by the NIPP and other initiatives. 

In publicizing news about the China cyberattacks, Google 
remained silent about the details of its subsequent partnership with 
the NSA, refusing even to confirm or deny the news reports. 
Merely publicizing information about the attack is insufficient to 
satisfy the recommendations of the GAO report and the NIPP to 
drastically raise the level of national awareness about cyberspace 
protection. An increase in information sharing between public and 
private entities cannot reasonably be anticipated without national 
awareness; there is therefore little room for improvement of the 
existing cybersecurity measures without it. The alliance also does 
not comport with either the GAO or the NIPP regarding national 
awareness of cyber protection, which is indicative of 
inconsistencies in cybersecurity policies. These inconsistencies in 
turn suggest that the current initiatives are largely ineffective and 
that the Google-NSA alliance is a positive development in 
cybersecurity. 

The most recent initiatives also appeal for a change in 
government leadership structure, and the Google-NSA alliance is 
accomplishing this goal with the NSA’s assumption of leadership 
as the public sector partner in the collaboration. Finally, the 
government has fallen behind in its implementation: current 
policies make broad recommendations about how to proceed with 
cyberspace protection, but little improvement has been seen to 
date. The alliance represents a significant step away from the 
present initiatives as a response to this lack of progress. 

Taken as a whole, these departures from current cybersecurity 
initiatives indicate that the existing regime is glaringly defective. 
The defects of the current posture and policies are perhaps best 
illustrated by another established public-private partnership, also 
falling squarely within the overarching domain of cyberspace: the 
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Defense Industrial Base (“DIB”), governed by the Department of 
Defense as its Sector-Speeifie Agency pursuant to the National 
Infrastructure Protection Plan.^^^ “The DIB is DoD, the U.S. 
government, and the private sector worldwide industrial complex 
with capabilities to perform research and development (“R&D”), 
design, produce, deliver, and maintain military weapon systems, 
subsystems, components, or parts to meet military 
requirements.” It includes many thousands of foreign and 
domestic entities, as well as their subcontractors, who perform 
work for the Department of Defense and other federal departments 
and agencies.The Defense Industrial Base provides defense- 
related products and services used to “equip, inform, mobilize, 
deploy, and sustain forces conducting military operations 
worldwide,” which includes the domain of cyberspace. Only a 
small percentage of Defense Industrial Base facilities are actually 
owned by the Department of Defense, so the efforts described in 
the Defense Industrial Base Sector-Specific Plan (“DIB SSP”) 
largely “focus on DoD and government actions to support private 
owner/operator efforts at DIB facilities determined to be critical to 
national security. 

The DIB SSP divides the sector into segments, sub-segments, 

967 

and commodities. While many of the Defense Industrial Base 
segments are irrelevant for purposes of this Note, the information 
technology segments, which encompass the sub-segments of 

U.S. Dep’t of Def., Defense Industrial Base: Critical Infrastructure and 
Key Resources Sector-Specific Plan As Input to the National Infrastructure 
Protection Plan 3 (2007) [hereinafter DIB SSP], available at http://www.dhs.gov/ 
xlibrary/assets/nipp-ssp-defense-industrial-base.pdf 

Id. at 4. 

Id. at 5. 

Id. 

Id.; cf. Dep’t of Def., Department of Defense Directive Number 3020.40 (Aug. 
19, 2005), available at http://www.fas.org/irp/doddir/dod/d3020_40.pdf. The Directive 
updates, renames, and reissues the Defense Critical Infrastructure Program (DCIP), 
“which addresses DIB assets owned by the private sector and DOD-owned elements of 
the DIB. Thus, the DIB plan purports to focus on the privately owned and operated 
efforts at DIB facilities rather than on the small fraction of DIB facilities owned by the 
DOD.” Lieutenant Colonel Todd A. Brown, Sovereignty in Cyberspace: Legal Propriety 
of Protecting Defense Industrial Base Information Infrastructure, 64 A.F. L. Rev. 211, 
226-27 (2009). 

See DIB SSP, supra note 262, at 5-6. 
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“command control, computers, and intelligence [and] information 
seeurity” within the Defense Industrial Base, link the information 
teehnology seetor (governed by the Department of Homeland 
Seeurity, pursuant to the National Infrastrueture Proteetion Plan) to 
the defense seetor. Cyberspaee extends aeross eritieal 
infrastrueture sectors, and the unifying faetor of information 
technology creates an espeeially strong parallel between these two 
seetors. To faeilitate information sharing, the DIB SSP identifies 
seeurity partners within the federal government and Department of 
Defense itself, within the private seetor, and on a state, loeal, and 

970 

international so ale. 

Lieutenant Colonel Todd A. Brown^^' argues that the DIB SSP 
is delioient in identifying the speoilio efforts the Department of 
Defense will take to ooordinate CIKR proteetion within the private 
seetor; rather, he olaims that the plan “restates the edits of HSPD-7 
and the NIPP” and points out that the “D[o]D will work with the 
DHS to identify overlaps and gaps in responsibility with other 
seotor-specilic agenoies with regard to DIB assets that belong to 
other seetors.Brown believes that the plan is “partioularly 
inadequate [in] its referenoe to oyber seeurity risks,”^^^ and the 
plan itself actually maintains that “[w]hile cyber seeurity is an 
issue that oould affeot any faoility, DoD does not perform network- 
or system-level assessments.” Rather, the plan states that “DIB 
assets are primarily owned by the private seetor; and that (1) there 
are no regulatory requirements for eondueting formal risk 
assessments, (2) large eompanies eonduet their own risk 
assessments as part of prudent business praetiees, and (3) the 


See supra Part II .A. 3. 

See DIB SSP, supra note 262, at 6-10. 

Brown currently serves as the Judge Advocate for the 187th Fighter Wing of the 
Alabama Air National Guard. See 187th Fighter Wing, Resources, Ala. Air Nat’l 
Guard, http://www.187fw.ang.af mil/resources/index.asp (last visited Aug. 10, 2010). 

Brown, supra note 266, at 227. 

Id. Indeed, the government has begun to recognize its deficiencies in approaching 
sector-specific planning against cyber threats. See Gov’T ACCOUNTABILITY OFFICE, 
Critical Infrastructure Protection: Current Cyber Sector-Specific Planning 
Approach Needs Reassessment (Sept. 2009), available at http://www.gao.gov 
/new.items/d09969.pdf 

DIB SSP, supra note 262, at 17. 
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D[o]D aims to ensure awareness and risk management best 
praetiees throughout the The National Infrastrueture 

Protection Plan emphasizes a “single national effort” for 
integration of the United States’s CIKR protection initiatives, 
and Brown expresses concern that small members of the Defense 
Industrial Base in the private sector are being overlooked, because 
they may not have the resources to conduct risk assessments on the 
same scale as large companies, and asks how the Department of 
Defense "‘aim[s] to ensure awareness across the entire sector.”^^^ 

Google, a veritable giant in the realm of technology and 
cyberspace, is a large private company with significant resources 
available to assess the risk of cyber threats it may confront. As 
indicated by the recent partnership with the NSA, Google has 
enlisted help from the government in analyzing the cyber risks it 
has already faced and will continue to combat, presumably because 
its own cybersecurity resources have proven insufficient. If the 
resources of large private companies in the Telecommunications/ 
Information Technology sectors are proving to be inadequate, it is 
unreasonable to assume that smaller private entities within the 
sector have the capabilities to defend against cyber threats. 
Applying Brown’s perspective on the Defense Industrial Base to 
this sector, however, exposes a strong parallel between the two 
sectors: small-scale members of private industry across CIKR 
sectors face unique challenges in forming public-private 
partnerships. These obstacles are twofold: smaller private entities 
do not have the resources of a giant like Google to assess cyber 
risks on their own, and may not be aware of the opportunities for 
information sharing available to them under the National 
Infrastructure Protection Plan. Thus, both the Defense Industrial 
Base and the technology sector have considerable gaps to fill in 
cybersecurity protection as articulated by the National 
Infrastructure Protection Plan, suggesting that the current policies 
are ineffective. 


Brown, supra note 266, at 227-28. 
2006 NIPP, supra note 20, at i. 
Brown, supra note 266, at 228. 

See supra Part II. 
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Brown also argues that the DIB SSP is noneompliant “with the 
HSPD-7 direetive that the tasked departments share information 
about cyber threats.” The National Infrastructure Protection 
Plan recommends that information sharing between the public and 
private sectors be conducted using a networked approach with 
significant reliance on critical infrastructure information provided 
by the private sector. However, the DIB SSP does not discuss 
coordination of information sharing; rather, it states that the 
Department of Defense “relies on private sector organizations to 
exchange information regarding DIB infrastructure.” Brown 
asserts that responsibility for these information-sharing efforts is 
being relegated back to the Department of Homeland Security, 
while the Department of Defense seems to take on a supporting 
role in “efforts to address cyber incidents, conduct vulnerability 
assessments, develop risk management strategies, and facilitate 
information sharing.” The DIB SSP lists a number of federal 
agency partners in its CIKR protection within the sector, including 
the Department of Homeland Security: the Office of Infrastructure 
Protection (“OIP”) and the Office of Cyber Security and 
Telecommunications (“CST”) are jointly “responsible for 
deterring, preventing, and defeating cyber incidents across all CI[ 
]KR sectors.” As discussed in Part II.A.3, the most recent 
policy initiatives have called for a change in cybersecurity policy 
leadership. Thus, the argument that the Google-NSA alliance is a 
distinct departure from current policies due to inefficiencies is 
further strengthened by the analogous difficulties in information 
sharing within the Defense Industrial Base, a related CIKR sector. 

Perhaps the most salient point of Brown’s analysis is that the 
emphasis on voluntary participation on the part of the private 
sector is the greatest challenge in successful information 
sharing. The sensitive nature of such information, be it relevant 
to business or security, renders its safekeeping critical because 


Brown, supra note 266, at 228. 

See 2006 NIPP, supra note 20, at 57-66. 
Brown, supra note 266, at 228. 

Id. (quoting DIB SSP, supra note 262, at 7). 
Brown, supra note 266, at 228. 

DIP SSP, supra note 262, at 8. 

Brown, supra note 266, at 228-29. 
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unauthorized disclosure or access could result in “serious damage 
to private industry, the economy, public safety, or public 
security.” As such, the information sharing problems and 
concerns discussed in Part II.A.2 of this Note are pervasive across 
sectors, further reinforcing the argument that current 
government cybersecurity policies are largely ineffective. It 
follows that the Google-NSA alliance represents a departure from 
these strategies pursuant to the most recent initiatives taken 
regarding cybersecurity policy, and proposes a unique solution to 
the problems the United States faces in the cybersecurity arena. 

Whether or not the Google-NSA alliance is ultimately 
successful in filling the gaps left by current cybersecurity policy, it 
should be viewed as a step toward improvement. Members of both 
the public and private sectors have expressed concern about 
cybersecurity in the United States, and this unlikely pairing 
represents a unified front to address a common concern. The 
framework of the alliance has incorporated the hallmarks of the 
current policy initiatives, most significantly the public-private 
partnership, which should be satisfactory to those supporters of the 
present policy framework. While many outspoken critics reject the 

notion of “cyberwar” generally and the security concerns that 

280 

logically follow, some even saying that cyberwar does not exist. 


Id. at 229. 

See Gov’t Accountability Office, Intelligence Surveillance and 
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remarks during the Brookings forum); Technology and Trust: Privacy and Security 
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the fact remains that Google, an Internet giant in every sense of the 
word, was subjected to cyberattacks.It subsequently admitted 
its security vulnerabilities and strongly suggested that its users take 
precautions when using the Internet. Though this statement is far 
from an admission of the existence of “cyberwar,” it is conclusive 
proof of a significant threat. Current policies are simply not 
enough to combat the severity of the threats posed by cyberspace. 
Though the security measures that have been taken form a solid 
foundation, the existing cyberspace protection programs are simply 
insufficient. The Google-NSA alliance has reformulated the 
touchstones of the early and present cybersecurity efforts to 
increase voluntary information sharing and best practices between 
the public and private sectors. Initiatives such as the Google-NSA 
alliance must be supported by the public to prevent further 
cyberattacks and increase the security of the nation’s cyber 
systems. 


Conclusion 

The Google-NSA alliance is unprecedented, regardless of 
whether it actually demonstrates a departure from the nation’s 
current cybersecurity policies. In comparing the Defense 
Industrial Base and the Telecommunications and Information 
Technology sectors, a larger problem emerges: in practice, current 
cyberspace protection programs simply do not have the broad 
reach across individual sectors that PDD-63 and its progeny 
intended. Cybersecurity is a necessary component of CIKR 
protection across the nation’s infrastructure, and the most recent 
cybersecurity policies essentially acknowledge the shortcomings of 
the present initiatives. 

If the Google-NSA alliance proves to be a solution to the 
deficiencies of present cybersecurity policy, it would not be 


03/29/the-top-five-cyber-fallacies; Richard Stiennon, The Ten-Year-Old "Cyberwar" 
Debate Continues, The Firewall Blog, Forbes (June 16, 2010, 9:59 AM) http://blogs. 
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infallible because questions of privacy, international implications, 
and information sharing and security remain. The Google 
cyberattacks that prompted the alliance resulted in theft of 
intellectual property, which can be characterized as “the heart and 
core value of companies worldwide.” A global company’s 
intellectual property includes “trade secrets, proprietary formulas, 
copyrights, trademarks, and source code . . . .” While privacy 
concerns about individual user data have a strong foundation, this 
Note proposes that even the strongest privacy advocate consider 
the large-scale implications resulting from corporate intellectual 
property theft. If a future cyberattack were to successfully obtain 
additional intellectual property belonging to Google, the security 
of Google users’ private information would be jeopardized. 
Cyberspace, by definition a difficult area to defend, remains 
largely unprotected, despite a decade’s worth of security 
initiatives. All users of the Internet should be supportive of the 
fledgling partnership between private industry and the public 
sector as they work towards the strongest possible security solution 
to secure cyberspace for the benefit of all Americans. 


McAfee Labs and McAfee Foundstone Prof’l Servs., Protecting Your 
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16, 2010). 





